[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: securing html forms

To: linux-delhi@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: securing html forms
From: Raju Mathur <raju@xxxxxxxxxxxxxxx>
Date: Tue, 23 Jan 2001 07:57:11 +0530 (IST)
In-reply-to: <00c101c08324$65411800$010811ac@BIG>
References: <Pine.LNX.4.10.10101190830540.21042-100000@quake.m.teknema.com> <00a501c081e2$3f408980$010811ac@BIG> <009201c08448$b1d79020$8900000a@aclindia.com> <00c101c08324$65411800$010811ac@BIG>
Reply-to: raju@xxxxxxxxxxxxxxx

We are talking about 2 different kinds of security here:

1. Security of your server.  It is your responsibility to your clients
to ensure that your server is as secure as possible so that they feel
safe in giving you confidential information.  If your server is
insecure, the customer information that you are storing on your server
is liable to be compromised, leading to Bad Things happening.

2. HTTP security.  Many customers will demand or prefer a secure
(encrypted) channel when they transmit confidential information like
credit card numbers or passwords to your server.  You definitely need
HTTPS for that.  Having said that, guess how many of the millions of
credit card numbers which have been stolen on the 'net were stolen
while being transmitted to a server?  Yes, that's right: None!  The
problems associated with snooping confidential information on public
networks are so many, that 999 times out of 1000 it's much easier to
just crack into the server where the CC numbers are stored and pick
them up from there.  In other words, HTTPS/SSL is (usually) mostly
marketing hype.

Regards,

-- Raju

>>>>> "Amit" == Amit Soni <amitsoni@xxxxxxxxxxxx> writes:

    Amit> hi !  My "would be" server wala says : Your server is
    Amit> located in a secured data centers which has various security
    Amit> checks and port scanners to ensure data transmission is
    Amit> secure.

    Amit> Should I still insist on SSL ? or not having it is secure
    Amit> enough ?

    >> your best bet wud be to use post method with ssl. But if u need
    >> to use
    Amit> ssl,
    >> u need to get a secure server certificate, which is tied to
    >> your machine's domain name. Though u can sign your own
    >> certificate, the browser will
    Amit> flash
    >> a nasty warning sign to the user. Also ssl takes a heavy toll
    >> on the server.. so be careful about using ssl!!!

    >> > hi !  > > I wanna secure my html forms.  > I'll be using
    >> apache.  > my cgi is in c.  > currently i'm using post method
    >> in da html.  > > I dunno wats the best thing to do.  > write my
    >> own encrypting script within the HTML ? use SSL if possible ?
    >> > > also is there any kinda ready made thing availble to do
    >> such
    Amit> things..(and
    >> > which is free also ofcourse) ;o) > > thanx !  > > aiwa ! :o)

-- 
Raju Mathur          raju@xxxxxxxxxxxxx           http://kandalaya.org/

Follow-Ups:
- Re: securing html forms
  - From: Sanjeev Gupta

References:
- RE: Background configuration using HTML file !!!!
  - From: Anmol Khirbat
- Re: securing html forms
  - From: Amit Soni
- Re: securing html forms
  - From: Ambar Roy
- Re: securing html forms
  - From: Amit Soni

Prev by Subject: Re: securing html forms
Next by Subject: Re: securing html forms
Previous by thread: Re: securing html forms
Next by thread: Re: securing html forms
Index(es):
- Subject
- Thread