Irish Rail Smartcard website and security

Thomas Ralph · 28-04-2010, 15:25

That would require a new SSL certificate.

markpb · 28-04-2010, 15:30

Quote:

Originally Posted by Thomas Ralph

That would require a new SSL certificate.

It's not hard to terminate the SSL connection on one machine and then direct one URL to the IIS server and another to the Apache server. It's fully acceptable to do that under PCI-DSS rules. There's no reason for Irish Rail to adopt the approach they've taken other than laziness.

al2637 · 28-04-2010, 16:53

IIS or Apache doesn't matter, they can both tunnel to each other, in fact I'd assume they'd have an SSL layer at the front (usually a separate hardware device.. doing SSL on a webserver isn't the most efficient use of resources), this then distributes traffic to the various backend presentation layers (usually not under https either)

Anyway, end of tech. chat. There are numerous ways to do it, IE, sort it out.

robdrysdale · 28-04-2010, 16:58

Quote:

Originally Posted by markpb

It's not hard to terminate the SSL connection on one machine and then direct one URL to the IIS server and another to the Apache server. It's fully acceptable to do that under PCI-DSS rules. There's no reason for Irish Rail to adopt the approach they've taken other than laziness.

Yep. It's called ProxyPass on Apache and I believe Application Request Routing on IIS (which I believe they are running on their main irishrail.ie server). See http://www.iis.net/download/ApplicationRequestRouting Pretty trivial to do. Use it all the time on servers in work.

Running on port 8443 is pretty bad IT really.

Also from a security perspective don't think I'd ever expose an Apache Tomcat directly server to the external world as they have done. I'd question whether their infrastructure can handle the load of many thousands of users as this system goes live.

Mark Gleeson · 28-04-2010, 18:59

We continue to work with Irish Rail to sort out issues with the system. Several more bugs got squashed today.

We are not privy to the exact setup Irish Rail have, the port issue is an issue we have raised and is a priority issue to solve. The smartcard functions fine without the website, and you can get one from a ticket vending machine anywhere in Dublin.

Mark Hennessy · 28-04-2010, 21:45

Just a reminder that bugs and issues with the Smartcards and Smartcard use while commuting go here:
http://www.railusers.ie/forum/showthread.php?t=12317

IT specific issues with the website can stay here on this thread.

28-04-2010, 18:59	#5
Mark Gleeson Technical Officer Join Date: Dec 2005 Location: Coach C, Seat 33 Posts: 12,669	We continue to work with Irish Rail to sort out issues with the system. Several more bugs got squashed today. We are not privy to the exact setup Irish Rail have, the port issue is an issue we have raised and is a priority issue to solve. The smartcard functions fine without the website, and you can get one from a ticket vending machine anywhere in Dublin. __________________ Unhappy with new timetable - let us know

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

28-04-2010, 15:25	#1
Thomas Ralph IT Officer Join Date: Sep 2007 Location: Greenwich, London Posts: 1,860	That would require a new SSL certificate.

28-04-2010, 16:53	#3
al2637 Member Join Date: Dec 2005 Posts: 191	IIS or Apache doesn't matter, they can both tunnel to each other, in fact I'd assume they'd have an SSL layer at the front (usually a separate hardware device.. doing SSL on a webserver isn't the most efficient use of resources), this then distributes traffic to the various backend presentation layers (usually not under https either) Anyway, end of tech. chat. There are numerous ways to do it, IE, sort it out.

28-04-2010, 21:45	#6
Mark Hennessy Membership Officer Join Date: Dec 2005 Location: Maynooth Posts: 1,116	Just a reminder that bugs and issues with the Smartcards and Smartcard use while commuting go here: http://www.railusers.ie/forum/showthread.php?t=12317 IT specific issues with the website can stay here on this thread.