Solved

Secure form processing - best solutions

Posted on 2011-03-06
10
356 Views
Last Modified: 2012-05-11
Even with an SSL encoded page, a form that sends you an email is still considered not entirely secure, correct? What is the best way to do set up a secure form?
0
Comment
Question by:ServalStudios
  • 5
  • 5
10 Comments
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35053734
The form submission to the server would be secure under ssl but the email would go out as plain text or MIME depending on exactly how you have things set.

What are you worried about?
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 35059016
Webdesigners have told me that, since it is sent as email from the server that it is no longer secure.  As soon as it becomes email (as in plain text or MIME) that it is not secure any longer.   I would think if you are the only one retrieving it, it would be - but..
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35060127
That's true, the email itself is not secure but no emails are unless you are using encryption (like PGP or similar) to render the contents of the message unreadable except to the person with the decryption key.  This is well beyond most users but certainly doable with a variety of methods.  

However, it's overkill.  There really is no reason to be this paranoid unless you are already using encryption with all of your email.  
0
Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

 
LVL 1

Author Comment

by:ServalStudios
ID: 35071969
Thank you for you insight. I have had several web designers, especially ones online, that say you never use an email system - but can't explain how someone would be able to access this info.  So I thought maybe there was another way.  If they thought this wasn't safe, they weren't offering a solution

I use a shopping cart that splits the credit card numbers in half, emailing one section, then leaving the other in the database.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35072693
>> I use a shopping cart that splits the credit card numbers in half, emailing one section, then leaving the other in the database.

Ah-ha.  That's NOT good because neither # is encrypted so people would be able to put the number together if they got access to both elements (db and email).  The short version is you should never, ever store or transmit credit cards numbers in the clear even if you play games like splitting them up.  The best of all possible worlds is that you never store the card numbers, you just transmit them to the gateway and receive the response code.  If you absolutely must store them in a db, encrypt that column to within an inch of its life.  Do not send them by email at all.  At the absolute worst, you can send the last 4 digits in the the clear as part of a receipt or tracking email.

How much do you know about PCI compliance https://www.pcisecuritystandards.org/  ?  If the answer is "not much," then you need to get educated about this because you are potentially exposing yourself or your clients to serious legal problems and lawsuits.  
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 35073255
The payment card splitting is done by a company that I have a website with - not something I deal with, and the remaining part of the card is encrypted. So is not mine.

So really its gets back to my to original question.  Any kind of sensitive info should not be transmitted by email.  So back to square one with trying to figure out how to do this.  The only thing I can think of is that it goes into a database that is later retrieved.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35073297
>>  The only thing I can think of is that it goes into a database that is later retrieved.

Yes, but since the portion that goes into the database is encrypted so that the other portion sent by email should be ok.   I would still check this method against the PCI standards to make sure you're in the clear.  If the encryption is a simple MD5 transformation with no salting variable, it may not be considered strong enough.

To be honest, we're somewhat in the weeds here.  This is really an oddball method of running a cart...
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 35073538
yeah, its an odd cart, but not something I have anything to do with, was just using it as an example of how they were concerned about email transmission.  

My original question was about setting up an email form. Not part of a shopping cart.  Not part of the example that I gave.   If there is a concern about information being transferred by email, there must be solutions out there.  So thats what I am lookin for.

0
 
LVL 70

Accepted Solution

by:
Jason C. Levine earned 500 total points
ID: 35073617
As I said, there are any number of ways to encrypt an email provided you are not expecting any random person to be able to follow the decrypt procedure.  If you are sending it to one person or to yourself, it's feasible.

http://devzone.zend.com/article/1265
http://www.kelv.net/programming/pgp.php

0
 
LVL 1

Author Closing Comment

by:ServalStudios
ID: 35073751
Thats great - thank you for your help!
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is very specific and is only intended to help if you are installing Dreamweaver 8 in a Windows 7 environment with Office 2007 installed.   I'm not sure why Microsoft tends to release OS' that should not be released but they do.  Windows…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question