Secure Web Forms


#1

I want to make a secure form for a business website that contains sensitive information about customers. I understand the basic HTML form and I know that I want the form to send the information to an e-mail address. I do not know much about SSL, Unique IPs, or Certificates. Could someone give some advice about how to secure a form? Do I need the Unique IP and a Certificate or do I need PGP key? And how does it all work?

Thanks bunches!
Kristina


#2

Interesting, I thought that the wiki might say something specific but I didn’t find a good reference.

Perhaps someone with experience would document it?

Wholly - Use promo code WhollyMindless for full 97$ credit. Let me know if you want something else!


#3

Yea, I know. It gives you the very scant basics about security and how to buy it, but nothing more. :frowning:


#4

You would need both secure web service and a PGP/GPG. The secure web service is needed to secure the connection to the web browser. PGP/GPG is needed to encrypt the information in the e-mail message. An e-mail client that can decrypt the message will also be needed.

DreamHost makes it easy to set up the secure web server - in the web panel for “Manage Domains” just click on the “Edit” button in the “Secure Service” column for the appropiate domain. DreamHost does all the configuration for you.

Encrypting the e-mail message is the hard part because you have to set that up yourself with a bit of a learning curve if you’re new to PKI.

In my Perl scripts I use the gpg program (Gnu Privacy Guard) to encrypt the message body before piping it to Postfix sendmail. For this to work, I have a GPG user for both the web site and the recipient. The script encrypts the message for the recipient, and the recipient uses a custom install of Squirrelmail with a GPG plugin in order to read the messages - from the secure web server of course. Personally I use the Mozilla Thunderbird client and the Enigmail plugin.

:cool: openvein.org -//- One-time [color=#6600CC]$50.00 discount[/color] on [color=#0000CC]DreamHost[/color] plans: Use ATROPOS7


#5

Most sites I know don’t actually encrypt email but rather just send you a notification via unencrypted email with a link back to your information on your website on an encrypted page. You are, of course, required to authenticate with the website before viewing that information.

This way you don’t have to bother doing encrypted email.

That said, other folks I know have delivered sensitive reports via pgp encrypted email and have even provided an IMAP email account for the express purpose of delivering email over a secure channel.

Free unique IP and $67 off with promo code [color=#CC0000]FLENSFREEIP67[/color] or use [color=#CC0000]FLENS97[/color] for $97 off. Click here for more options


#6

I went ahead and got my Unique IP and my SSL Cert. I followed Dreamhost and Godaddy.com’s instructions and everything works fine except my url “www.howardmotorcompany.com” won’t work unless I type “https://www.howardmotorcompany.com”.

Did I do something wrong?

Thanks for the help so far!


#7

You probably haven’t setup regular HTTP hosting service.

In the “Manage Domains” panel you’ll notice there are two columns: “Web Hosting” and “Secure Hosting”. If your “Web Hosting” says “none” then you need to click on the “Edit” button and setup hosting service for regular HTTP access. Note: make sure the web directory is the same as for the Secure Hosting if you want to a one-to-one match in URL namespace.

:cool: openvein.org -//- One-time [color=#6600CC]$50.00 discount[/color] on [color=#0000CC]DreamHost[/color] plans: Use ATROPOS7


#8

But … If I have an SSL certificate, and my form is at an https:// address, and I read the resulting email on the DH server … where is it going that is insecure? Is it the trip between my hosting server and my email server that is the problem? Is there an option to put the information input into the form somewhere else besides an email where we could retrieve it, like a secure database? It would have to be something that’s one-click-ish to install. I’m not the most tech-oriented user.


#9

You can use Javascript to secure a HTML Form before it is sent over the internet

Here are some examples.

http://www.websecureemail.com
http://www.anonymousspeech.com/how_to_secure_email_form.aspx


#10

Yes, security during the delivery of the email is part of the problem and reading the email itself is part of the problem as that’s not always configured to be secure.

mmm. I’m not personally aware of a package that lets you configure an arbitrary form and have the info stored for easy retrieval, but it does sound like something that should be available. And then securing it is relatively straightforward as it just involves making sure the result is presented through an HTTPS page.

Free unique IP and $67 off with promo code [color=#CC0000]FLENSFREEIP67[/color] or use [color=#CC0000]FLENS97[/color] for $97 off. Click here for more options


#11

If you’re that worried about your mail contents, get hold of personal certificates (available for free at cacert.org) and use those to both sign and encrypt your mail contents. 1024 bits would be pretty damn secure. Yeah, they would know you’re talking but not at all what is being said.

cacert.org

Just about all email clients (except webmail) support the use of certificates for signing and/or encryption.

Wholly - Use promo code WhollyMindless for full 97$ credit. Let me know if you want something else!