I have some questions and apologize if these have been answered somewhat but would like some clarification on a few things.
I took a quick look at your website, and I somewhat applaud you for the simplicity, and lacking open-source 3rd party plugins which all seem to be vulnerable and give a foothold into your server.
Editing the form isn’t anything. That’s not an exploit or vulnerability. But that member does bring up an interesting point. How do you handle the session? Cookies? What are you doing to protect the customer from session hijacking?
A few questions here.
1. How is your private key stored/protected? (You don’t have to go into detail here, but I am looking for some key words).
2.) This is encryption at rest. Meaning if someone acquired physical access to your servers; popped it open and plugged the hard-drives in, all they would see are random strings. I also see the website is using SSL which protects in transit. Good. This leads me to my next question
3.) Since you’re an “international marketplace” with vendors across the globe, how are you ensuring the end user/customer is connecting to a server location in which their country has 0 relation with?
4.) Non compliant servers are fun. Can you go into detail here? How are you going to handle the snooping ISP upstream that the (I’m assuming) data center they are colocated in?
A bug/exploit bounty program? I kind of like that. In fact, many of the big tech companies out there do similar. They don’t pay upfront, however if you find something they will pay you for reporting it. I’ve done this once or twice (legally) to make a nice little bonus check. Most would rather sell it to a shadow broker..
"I took a quick look at your website, and I somewhat applaud you for the simplicity, and lacking open-source 3rd party plugins which all seem to be vulnerable and give a foothold into your server."
Much appreciated, really.
"Editing the form isn’t anything. That’s not an exploit or vulnerability."
Of course, I was just showing people how to
fake an exploit. With regards to session management, it's all vanilla with how Laravel handles it. That's gonna be the source for nitty gritty answers on that question.
1-2. In response to the encryption questions, I think this information is best explained/found by looking into the framework itself: Laravel.
What gets saved to the DB is encrypted, yeah. And yeah, of course naturally we have SSL.
Code:
https://laravel.com/docs/8.x/encryption
3. Well our servers are hosted in countries where AAS is legal.
4. You've lost me here, but I'll see if I can get back to you with a more compelling answer. What I can tell you is your shipping information is encrypted and also can be manually deleted by you at any time. No snooping ISP can just grab this data as you know, and that's what reality matters. All that being said, general safety rules still apply. Users should still visit the site with VPN and/or TOR, though I understand most won't.
And again the servers are in countries where data laws are very tolerant and AAS is legal.
Thanks. I really appreciate the non-accusatory tone and level-headed questions. I hope I've answered your questions to your satisfaction, or at least, directed you to the source of a better technical breakdown of the topics
