Solved

Secure form processing - best solutions

Posted on 2011-03-06
10
351 Views
Last Modified: 2012-05-11
Even with an SSL encoded page, a form that sends you an email is still considered not entirely secure, correct? What is the best way to do set up a secure form?
0
Comment
Question by:ServalStudios
  • 5
  • 5
10 Comments
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35053734
The form submission to the server would be secure under ssl but the email would go out as plain text or MIME depending on exactly how you have things set.

What are you worried about?
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 35059016
Webdesigners have told me that, since it is sent as email from the server that it is no longer secure.  As soon as it becomes email (as in plain text or MIME) that it is not secure any longer.   I would think if you are the only one retrieving it, it would be - but..
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35060127
That's true, the email itself is not secure but no emails are unless you are using encryption (like PGP or similar) to render the contents of the message unreadable except to the person with the decryption key.  This is well beyond most users but certainly doable with a variety of methods.  

However, it's overkill.  There really is no reason to be this paranoid unless you are already using encryption with all of your email.  
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 35071969
Thank you for you insight. I have had several web designers, especially ones online, that say you never use an email system - but can't explain how someone would be able to access this info.  So I thought maybe there was another way.  If they thought this wasn't safe, they weren't offering a solution

I use a shopping cart that splits the credit card numbers in half, emailing one section, then leaving the other in the database.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35072693
>> I use a shopping cart that splits the credit card numbers in half, emailing one section, then leaving the other in the database.

Ah-ha.  That's NOT good because neither # is encrypted so people would be able to put the number together if they got access to both elements (db and email).  The short version is you should never, ever store or transmit credit cards numbers in the clear even if you play games like splitting them up.  The best of all possible worlds is that you never store the card numbers, you just transmit them to the gateway and receive the response code.  If you absolutely must store them in a db, encrypt that column to within an inch of its life.  Do not send them by email at all.  At the absolute worst, you can send the last 4 digits in the the clear as part of a receipt or tracking email.

How much do you know about PCI compliance https://www.pcisecuritystandards.org/  ?  If the answer is "not much," then you need to get educated about this because you are potentially exposing yourself or your clients to serious legal problems and lawsuits.  
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 1

Author Comment

by:ServalStudios
ID: 35073255
The payment card splitting is done by a company that I have a website with - not something I deal with, and the remaining part of the card is encrypted. So is not mine.

So really its gets back to my to original question.  Any kind of sensitive info should not be transmitted by email.  So back to square one with trying to figure out how to do this.  The only thing I can think of is that it goes into a database that is later retrieved.
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 35073297
>>  The only thing I can think of is that it goes into a database that is later retrieved.

Yes, but since the portion that goes into the database is encrypted so that the other portion sent by email should be ok.   I would still check this method against the PCI standards to make sure you're in the clear.  If the encryption is a simple MD5 transformation with no salting variable, it may not be considered strong enough.

To be honest, we're somewhat in the weeds here.  This is really an oddball method of running a cart...
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 35073538
yeah, its an odd cart, but not something I have anything to do with, was just using it as an example of how they were concerned about email transmission.  

My original question was about setting up an email form. Not part of a shopping cart.  Not part of the example that I gave.   If there is a concern about information being transferred by email, there must be solutions out there.  So thats what I am lookin for.

0
 
LVL 70

Accepted Solution

by:
Jason C. Levine earned 500 total points
ID: 35073617
As I said, there are any number of ways to encrypt an email provided you are not expecting any random person to be able to follow the decrypt procedure.  If you are sending it to one person or to yourself, it's feasible.

http://devzone.zend.com/article/1265
http://www.kelv.net/programming/pgp.php

0
 
LVL 1

Author Closing Comment

by:ServalStudios
ID: 35073751
Thats great - thank you for your help!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those who don't know, Adobe Dreamweaver is a popular commercial web editor that enables you to design, build and manage complex websites. The editor is a WYSIWYG (What You See Is What You Get) web editor, which means that you can create your web…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now