• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 389
  • Last Modified:

Secure form processing - best solutions

Even with an SSL encoded page, a form that sends you an email is still considered not entirely secure, correct? What is the best way to do set up a secure form?
0
ServalStudios
Asked:
ServalStudios
  • 5
  • 5
1 Solution
 
Jason C. LevineNo oneCommented:
The form submission to the server would be secure under ssl but the email would go out as plain text or MIME depending on exactly how you have things set.

What are you worried about?
0
 
ServalStudiosAuthor Commented:
Webdesigners have told me that, since it is sent as email from the server that it is no longer secure.  As soon as it becomes email (as in plain text or MIME) that it is not secure any longer.   I would think if you are the only one retrieving it, it would be - but..
0
 
Jason C. LevineNo oneCommented:
That's true, the email itself is not secure but no emails are unless you are using encryption (like PGP or similar) to render the contents of the message unreadable except to the person with the decryption key.  This is well beyond most users but certainly doable with a variety of methods.  

However, it's overkill.  There really is no reason to be this paranoid unless you are already using encryption with all of your email.  
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
ServalStudiosAuthor Commented:
Thank you for you insight. I have had several web designers, especially ones online, that say you never use an email system - but can't explain how someone would be able to access this info.  So I thought maybe there was another way.  If they thought this wasn't safe, they weren't offering a solution

I use a shopping cart that splits the credit card numbers in half, emailing one section, then leaving the other in the database.
0
 
Jason C. LevineNo oneCommented:
>> I use a shopping cart that splits the credit card numbers in half, emailing one section, then leaving the other in the database.

Ah-ha.  That's NOT good because neither # is encrypted so people would be able to put the number together if they got access to both elements (db and email).  The short version is you should never, ever store or transmit credit cards numbers in the clear even if you play games like splitting them up.  The best of all possible worlds is that you never store the card numbers, you just transmit them to the gateway and receive the response code.  If you absolutely must store them in a db, encrypt that column to within an inch of its life.  Do not send them by email at all.  At the absolute worst, you can send the last 4 digits in the the clear as part of a receipt or tracking email.

How much do you know about PCI compliance https://www.pcisecuritystandards.org/  ?  If the answer is "not much," then you need to get educated about this because you are potentially exposing yourself or your clients to serious legal problems and lawsuits.  
0
 
ServalStudiosAuthor Commented:
The payment card splitting is done by a company that I have a website with - not something I deal with, and the remaining part of the card is encrypted. So is not mine.

So really its gets back to my to original question.  Any kind of sensitive info should not be transmitted by email.  So back to square one with trying to figure out how to do this.  The only thing I can think of is that it goes into a database that is later retrieved.
0
 
Jason C. LevineNo oneCommented:
>>  The only thing I can think of is that it goes into a database that is later retrieved.

Yes, but since the portion that goes into the database is encrypted so that the other portion sent by email should be ok.   I would still check this method against the PCI standards to make sure you're in the clear.  If the encryption is a simple MD5 transformation with no salting variable, it may not be considered strong enough.

To be honest, we're somewhat in the weeds here.  This is really an oddball method of running a cart...
0
 
ServalStudiosAuthor Commented:
yeah, its an odd cart, but not something I have anything to do with, was just using it as an example of how they were concerned about email transmission.  

My original question was about setting up an email form. Not part of a shopping cart.  Not part of the example that I gave.   If there is a concern about information being transferred by email, there must be solutions out there.  So thats what I am lookin for.

0
 
Jason C. LevineNo oneCommented:
As I said, there are any number of ways to encrypt an email provided you are not expecting any random person to be able to follow the decrypt procedure.  If you are sending it to one person or to yourself, it's feasible.

http://devzone.zend.com/article/1265
http://www.kelv.net/programming/pgp.php

0
 
ServalStudiosAuthor Commented:
Thats great - thank you for your help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now