Solved

Secure form processing - best solutions

Posted on 2011-03-06
10
349 Views
Last Modified: 2012-05-11
Even with an SSL encoded page, a form that sends you an email is still considered not entirely secure, correct? What is the best way to do set up a secure form?
0
Comment
Question by:ServalStudios
  • 5
  • 5
10 Comments
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35053734
The form submission to the server would be secure under ssl but the email would go out as plain text or MIME depending on exactly how you have things set.

What are you worried about?
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 35059016
Webdesigners have told me that, since it is sent as email from the server that it is no longer secure.  As soon as it becomes email (as in plain text or MIME) that it is not secure any longer.   I would think if you are the only one retrieving it, it would be - but..
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35060127
That's true, the email itself is not secure but no emails are unless you are using encryption (like PGP or similar) to render the contents of the message unreadable except to the person with the decryption key.  This is well beyond most users but certainly doable with a variety of methods.  

However, it's overkill.  There really is no reason to be this paranoid unless you are already using encryption with all of your email.  
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 35071969
Thank you for you insight. I have had several web designers, especially ones online, that say you never use an email system - but can't explain how someone would be able to access this info.  So I thought maybe there was another way.  If they thought this wasn't safe, they weren't offering a solution

I use a shopping cart that splits the credit card numbers in half, emailing one section, then leaving the other in the database.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35072693
>> I use a shopping cart that splits the credit card numbers in half, emailing one section, then leaving the other in the database.

Ah-ha.  That's NOT good because neither # is encrypted so people would be able to put the number together if they got access to both elements (db and email).  The short version is you should never, ever store or transmit credit cards numbers in the clear even if you play games like splitting them up.  The best of all possible worlds is that you never store the card numbers, you just transmit them to the gateway and receive the response code.  If you absolutely must store them in a db, encrypt that column to within an inch of its life.  Do not send them by email at all.  At the absolute worst, you can send the last 4 digits in the the clear as part of a receipt or tracking email.

How much do you know about PCI compliance https://www.pcisecuritystandards.org/  ?  If the answer is "not much," then you need to get educated about this because you are potentially exposing yourself or your clients to serious legal problems and lawsuits.  
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:ServalStudios
ID: 35073255
The payment card splitting is done by a company that I have a website with - not something I deal with, and the remaining part of the card is encrypted. So is not mine.

So really its gets back to my to original question.  Any kind of sensitive info should not be transmitted by email.  So back to square one with trying to figure out how to do this.  The only thing I can think of is that it goes into a database that is later retrieved.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35073297
>>  The only thing I can think of is that it goes into a database that is later retrieved.

Yes, but since the portion that goes into the database is encrypted so that the other portion sent by email should be ok.   I would still check this method against the PCI standards to make sure you're in the clear.  If the encryption is a simple MD5 transformation with no salting variable, it may not be considered strong enough.

To be honest, we're somewhat in the weeds here.  This is really an oddball method of running a cart...
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 35073538
yeah, its an odd cart, but not something I have anything to do with, was just using it as an example of how they were concerned about email transmission.  

My original question was about setting up an email form. Not part of a shopping cart.  Not part of the example that I gave.   If there is a concern about information being transferred by email, there must be solutions out there.  So thats what I am lookin for.

0
 
LVL 70

Accepted Solution

by:
Jason C. Levine earned 500 total points
ID: 35073617
As I said, there are any number of ways to encrypt an email provided you are not expecting any random person to be able to follow the decrypt procedure.  If you are sending it to one person or to yourself, it's feasible.

http://devzone.zend.com/article/1265
http://www.kelv.net/programming/pgp.php

0
 
LVL 1

Author Closing Comment

by:ServalStudios
ID: 35073751
Thats great - thank you for your help!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I still run into .cgi files every now and then. In some instances, I actually prefer the simplicity of a .cgi script to other options. Since I use DreamWeaver extensively, what I needed was a way to open .cgi scripts in Dreamweaver. And I wanted to …
Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now