[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: securing html forms

We are talking about 2 different kinds of security here:

1. Security of your server.  It is your responsibility to your clients
to ensure that your server is as secure as possible so that they feel
safe in giving you confidential information.  If your server is
insecure, the customer information that you are storing on your server
is liable to be compromised, leading to Bad Things happening.

2. HTTP security.  Many customers will demand or prefer a secure
(encrypted) channel when they transmit confidential information like
credit card numbers or passwords to your server.  You definitely need
HTTPS for that.  Having said that, guess how many of the millions of
credit card numbers which have been stolen on the 'net were stolen
while being transmitted to a server?  Yes, that's right: None!  The
problems associated with snooping confidential information on public
networks are so many, that 999 times out of 1000 it's much easier to
just crack into the server where the CC numbers are stored and pick
them up from there.  In other words, HTTPS/SSL is (usually) mostly
marketing hype.


-- Raju

>>>>> "Amit" == Amit Soni <amitsoni@xxxxxxxxxxxx> writes:

    Amit> hi !  My "would be" server wala says : Your server is
    Amit> located in a secured data centers which has various security
    Amit> checks and port scanners to ensure data transmission is
    Amit> secure.

    Amit> Should I still insist on SSL ? or not having it is secure
    Amit> enough ?

    >> your best bet wud be to use post method with ssl. But if u need
    >> to use
    Amit> ssl,
    >> u need to get a secure server certificate, which is tied to
    >> your machine's domain name. Though u can sign your own
    >> certificate, the browser will
    Amit> flash
    >> a nasty warning sign to the user. Also ssl takes a heavy toll
    >> on the server.. so be careful about using ssl!!!

    >> > hi !  > > I wanna secure my html forms.  > I'll be using
    >> apache.  > my cgi is in c.  > currently i'm using post method
    >> in da html.  > > I dunno wats the best thing to do.  > write my
    >> own encrypting script within the HTML ? use SSL if possible ?
    >> > > also is there any kinda ready made thing availble to do
    >> such
    Amit> things..(and
    >> > which is free also ofcourse) ;o) > > thanx !  > > aiwa ! :o)

Raju Mathur          raju@xxxxxxxxxxxxx           http://kandalaya.org/