User:Woozle/blog/2013/10/06/1339/Updates and such

From VbzWiki
Jump to: navigation, search

Updates and such

posted at 2013-10-06 1339

I've been mainly posting updates elsewhere, but I probably should post here as well. A security rewrite-and-expansion is in progress, and also a substantial re-envisioning of what this thing is all about.

First: the security for handling credit card numbers was atrocious. This was perhaps forgivable when I originally wrote the current incarnation a decade ago (or when I designed the database in 1999 or so), but the internet is a different place now.

All credit card numbers stored on the server are now public-key encrypted with a liberal dose of random salting, and the private key is not stored on the server. That way, even if someone manages to steal the entire database, they still won't get any credit card numbers.

Second: This led to the need to fix up the horrible "order import" routines. This is a "behind the counter" operation users never had to deal with, in which existing customers were searched using contact information in new orders to see if each new order might be a repeat order -- and then matches were manually confirmed, a process which greatly slowed down order handling (especially when it broke, which was frequently).

I'm replacing that mess with a login system: if you've ordered here before, you can create an account and confirm the email address(es) you used previously as belonging to you. Later, I may set up a system which automatically scours the customer records looking for possible duplicates and queues them for manual confirmation, but hopefully this won't be necessary.

Third, and much less technically: VBZ is going to be a worker self-directed enterprise; see The Virtual Bazaar Manifesto for an introduction. I'm not sure yet how to set this up legally. I do need to re-incorporate, but I'm not yet sure if it should be as a co-operative or as a for-profit with bylaws that set up a co-operative structure. More about this when I'm ready to start researching that for real.

I think that's all for now; feel free to check the Community on G+ for updates and discussion as well.