Form Encryption

software development

#1

Can someone guide me in finding the easiest way to ensure that data is safely transmitted from a form? The form is a credit application, so about 50 fields and highly sensitive information (Social Security Numbers etc.)

Here’s where I’m at. I set up the form, and I’m using the Dreamhost cgi script to transmit the data. It’s a secure site with Geotrust. However, I’ve been reading that I need to make sure that data is encrypted, but am not sure how to proceed.

I read something about needing to use PGP, which is a little overwhelming right now. If that’s the best way to go, I’ll dive in and try to figure it out, but wanted to check first to see if that’s the best solution.

I also came across Tectite and am wondering if anyone is familiar with that:
http://www.tectite.com/

One more obstacle is that my employer is not happy with the way the data is returned (in a plain text email that just shows the field name with the data following). He would prefer a nicely formatted document that looks somewhat like the original form.

Please know, I’m a newbie, and what I described above is the extent of my knowledge in doing this type of thing… I would greatly appreciate any advice anyone has!! Thank you!!


#2

You could sign up for SSL with DH. That would probably suit your needs, but might be overkill? (can never be too secure?).

You could use a javascript based encryption which would be simple enough to do. So when someone presses enter, it instead runs a javascript function which preforms simple encryption on the fields and then you use PHP to decrypt it. This would could be easily decrypted but people would probably have to manually do it…

As for the email, you could send HTML emails and this would look exactly like the form. You could store the information in a database so your employer could search the information easier.

Sorry nothing is very informative but I just thought I should add something :slight_smile:


#3

If you’re sending this information via unencrypted e-mail, you might as well not be using SSL at all, as the information will only be encrypted between the user and the site, and sent in the clear the rest of the way.

It’s fairly easy to encrypt form data using GPG, which is already installed on DH servers. A quick google turns up this example using PHP, which is pretty similar to how I’ve done it myself. You’ll need to write your own form and mail script, rather than using the DH-provided one.


If you want useful replies, ask smart questions.


#4

I think I’m in over my head on this one–I’m having a hard time “asking smart questions” right now. Your response is very helpful, I just don’t know that I have the knowledge to do this. I looked at the example and GPG site and am confused by the differences between GPG and PGP. The title “Send a PGP encrypted e-mail with PHP and GPG” is confusing to me.

Am I at all correct in saying that I should use GPG (a free software) to ENCRYPT the data, and then PGP (something I need to purchase and install on the receiving pc) to DECRYPT the data?

I apologize for my ignorance.


#5

Thanks for the info. I’m in over my head and need to study this some more. I truly appreciate you taking the time to help.


#6

GPG is basically a free implementation of PGP. For your purposes, it’s the same thing. The similarity in their names can be a little confusing as well.

GPG is free and can be installed on the computer that will be receiving the encrypted e-mail. It’s already installed on DH’s servers and it’s cross platform so it can be installed on just about any desktop machine. The script I linked to will encrypt the form data with the GPG binary on the server and mail it to you, where you will use GPG on your desktop computer (usually, but not necessarily, via an e-mail client plug-in) to decrypt it.

You will first need to generate a public/private key pair. Information on doing so can be found in the GPG docs, as can an explanation of how public key cryptography works.

Ignorant just means uninformed. That’s nothing to apologize for, we’re all ignorant of many things, and you probably know a lot about subjects I’m entirely ignorant of. At least you seem willing to learn, unlike a lot of people who post to this or other support forums asking vague questions and wanting HELP RIGHT NOW!!1!


If you want useful replies, ask smart questions.


#7

Okay, the light has come on. Thank you so much for the thorough explanation. I think I’m getting over the mental block and am ready to dive in. I’ve never recieved such great support in such a short amount of time. Thank you!


#8

One more thing. How can a user tell if the form they are using is truly secure or not? I naively thought the SSL protected me, but as you pointed out, it’s useless in situations such as this. As a user it’s unnerving.