secure forms

  • jlknauff
  • Expert
  • Expert
  • User avatar
  • Posts: 502
  • Loc: Florida

Post 3+ Months Ago

Can anyone point me to a good source to learn how to develop or modify some type of secure form? What I want to do is develop a website for a mortgage company that would be secure enough for the type of info that would be required (ssn and financial info) Any ideas?
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Carnix
  • Guru
  • Guru
  • User avatar
  • Posts: 1098

Post 3+ Months Ago

Look at verisign.com.

A "secure" form is no different than an "insecure" form, except that you're using the SSL encrypted HTTPS protocol instead of the plain text HTTP protocol.

First, know the domain name you will be securing, because SSL certs are domain name specific. ssl.domain.com and secure.domain.com are common, but you can use anything you want.

You need to purchase an SSL certificate subscription (you have to renew them every so often, depending on the term you subscribe for, much like a domain name). Then you install the cert on your webserver (see the documentation for your server for help with that). The cost varies, but can be quite expensive (I'm talking thousands of dollars... but that cost should be passed straight to the client... there is no way around it if they want an SSL secured site)

*EDIT: Verisign isn't the only CA (certificate authority). there are a few, but make sure you get a real one... look at the certificates you have installed in your version if IE for examples... if you use one from a service that isn't there, IE will give an invalid cert error every time.

Then, just do things as you would normally, nothing else needs to be done.


A few things to note. SSL doesn't very little in the way of security. Yes, it encrypts the data in transit, but it does NOTHING else. It doesn't protect the server, it doesn't protect your web browser or computer, it doesn't do ANYTHING exept encrypt the HTTP request/response streams.

The thing is, the complexity required to actually intercept those streams, even in plain text is such that the likelihood of anyone actually doing it is VERY low. Anyone with the know-how to install sniffers like that would be more likely to do things like download databases, or crash networks, rather than installing a sniffer, which, in any moderatly monitored network would show up pretty quickly due to the NIC switching to promiscuous mode anyway. There was a time that this wouldn't be as unlikely, but these days, an attack of this nature is very rare at best.

However, for a site that is submitting personally identificably information, the risk, however low, is still too high (plus, if you're transimitting SSN data, I think it's illegal in the US without strong SSL encryption (128-bit), but I could be wrong...)

But for other applications where there really isn't anything being submitted that isn't already pretty much publically available (name, phone number, address, telephone number, sex/gender, that sort of thing), the only reason anyone would use SSL is because their user's demand it because they don't know any better...

.c

Post Information

  • Total Posts in this topic: 2 posts
  • Users browsing this forum: No registered users and 80 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.