Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Secure form processing - best solutions

Posted on 2011-03-06
10
Medium Priority
?
380 Views
Last Modified: 2012-05-11
Even with an SSL encoded page, a form that sends you an email is still considered not entirely secure, correct? What is the best way to do set up a secure form?
0
Comment
Question by:ServalStudios
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35053734
The form submission to the server would be secure under ssl but the email would go out as plain text or MIME depending on exactly how you have things set.

What are you worried about?
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 35059016
Webdesigners have told me that, since it is sent as email from the server that it is no longer secure.  As soon as it becomes email (as in plain text or MIME) that it is not secure any longer.   I would think if you are the only one retrieving it, it would be - but..
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35060127
That's true, the email itself is not secure but no emails are unless you are using encryption (like PGP or similar) to render the contents of the message unreadable except to the person with the decryption key.  This is well beyond most users but certainly doable with a variety of methods.  

However, it's overkill.  There really is no reason to be this paranoid unless you are already using encryption with all of your email.  
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 1

Author Comment

by:ServalStudios
ID: 35071969
Thank you for you insight. I have had several web designers, especially ones online, that say you never use an email system - but can't explain how someone would be able to access this info.  So I thought maybe there was another way.  If they thought this wasn't safe, they weren't offering a solution

I use a shopping cart that splits the credit card numbers in half, emailing one section, then leaving the other in the database.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35072693
>> I use a shopping cart that splits the credit card numbers in half, emailing one section, then leaving the other in the database.

Ah-ha.  That's NOT good because neither # is encrypted so people would be able to put the number together if they got access to both elements (db and email).  The short version is you should never, ever store or transmit credit cards numbers in the clear even if you play games like splitting them up.  The best of all possible worlds is that you never store the card numbers, you just transmit them to the gateway and receive the response code.  If you absolutely must store them in a db, encrypt that column to within an inch of its life.  Do not send them by email at all.  At the absolute worst, you can send the last 4 digits in the the clear as part of a receipt or tracking email.

How much do you know about PCI compliance https://www.pcisecuritystandards.org/  ?  If the answer is "not much," then you need to get educated about this because you are potentially exposing yourself or your clients to serious legal problems and lawsuits.  
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 35073255
The payment card splitting is done by a company that I have a website with - not something I deal with, and the remaining part of the card is encrypted. So is not mine.

So really its gets back to my to original question.  Any kind of sensitive info should not be transmitted by email.  So back to square one with trying to figure out how to do this.  The only thing I can think of is that it goes into a database that is later retrieved.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35073297
>>  The only thing I can think of is that it goes into a database that is later retrieved.

Yes, but since the portion that goes into the database is encrypted so that the other portion sent by email should be ok.   I would still check this method against the PCI standards to make sure you're in the clear.  If the encryption is a simple MD5 transformation with no salting variable, it may not be considered strong enough.

To be honest, we're somewhat in the weeds here.  This is really an oddball method of running a cart...
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 35073538
yeah, its an odd cart, but not something I have anything to do with, was just using it as an example of how they were concerned about email transmission.  

My original question was about setting up an email form. Not part of a shopping cart.  Not part of the example that I gave.   If there is a concern about information being transferred by email, there must be solutions out there.  So thats what I am lookin for.

0
 
LVL 70

Accepted Solution

by:
Jason C. Levine earned 2000 total points
ID: 35073617
As I said, there are any number of ways to encrypt an email provided you are not expecting any random person to be able to follow the decrypt procedure.  If you are sending it to one person or to yourself, it's feasible.

http://devzone.zend.com/article/1265
http://www.kelv.net/programming/pgp.php

0
 
LVL 1

Author Closing Comment

by:ServalStudios
ID: 35073751
Thats great - thank you for your help!
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those who don't know, Adobe Dreamweaver is a popular commercial web editor that enables you to design, build and manage complex websites. The editor is a WYSIWYG (What You See Is What You Get) web editor, which means that you can create your web…
I still run into .cgi files every now and then. In some instances, I actually prefer the simplicity of a .cgi script to other options. Since I use DreamWeaver extensively, what I needed was a way to open .cgi scripts in Dreamweaver. And I wanted to …
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Loops Section Overview

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question