| Question History! |
|
| From |
: |
perfectsites |
|
| To |
: |
saintly |
| User Comment |
: |
Saintly was very helpful and provided me with the information I needed and did so quite promply. I appreciate their help as well as ExpertCentral for providing this forum.
Best, Shirley |
| Rating |
: |
 |
| Message Status |
: |
Public |
|
[08-16-2000] perfectsites : Greetings Saintly ~
I am a web designer that is just starting out, and I now have my first client requiring a secure site. It is not (and may never be) a traditional e-commerce site, but he does ask for sensitive information via forms on his site, that need to be e-mailed to us securely. We also need visual proof on the site that it is secure so users will feel comfortable filling in the forms.
I have looked into Verisign, but it's very expensive and I believe has many features that we don't have a need for (especially at this time).
I have also checked out Thawte, a division of Verisign, in regards to obtaining an SSL Cert to encrypt the forms as they are e-mailed to him.
But I have also seen many references to 'free' e-mail encryption, but if I am understanding them correctly, this only applies to personal e-mail, and is not applicable to the internet and e-mailing form information.
So, my question to you is, what is the very best and least expensive (he's VERY concerned about expenses) way to secure the forms as they are e-mailed to my client, and also visually assure the user of this security?
Thank you so very much for your time and making your expertise available.
I look forward to hearing from you soon.
Best Regards, Shirley Marshall / Perfect Sites
|
 |
[08-16-2000] saintly :
It is a difficult situation. We ran into that when the hospital I work for decided to implement secure web browsing for sensitive information.
Verisign is expensive, but you can, however, sign the certificates yourself (ie. be your own certificate signing agency). You only need to make another site certificate for yourself as a CSA and use it to sign your own store certificate. This is just as secure as Verisign signing it, but Netscape will complain when it sees it. The first time a self-signed certificate is used, Netscape will say that it does not recognize the certificate signer. It will ask the user whether they want to accept the certification and page through a few screens of information. The user has the option of always accepting the certificate after that. If your clients are OK with that, it allows secure web transactions. You would probably need to post a message on the site explaining what will happen to the client and reassuring them that it is still secure, and to go ahead and accept the self-signed certificate.
http://www.ultranet.com/~fhirsch/Papers/wwwj/article.html
Page talking more about SSL and how to create a self-signed certificate.
Just about the only way to implement secure (SSL) transactions over the web in a way that will be unobtrusive to the client is to pay the rates for Verisign. This is what we did in the hospital, after using self-signed certificates for a while. You can start with self-signed, and then just replace the certificate with one signed by Verisign later.
There are two good methods for secure E-Mailed information. This applies only to personal email, must be set up beforehand and done manually in most cases. One is Hushmail.
http://www.hushmail.com
This is like hotmail; a web-based email program. All mail sent between hushmail users is automatically encrypted. If both you and the client have addresses there, you can use this to communicate securely.
The other way requires more extensive set up on the part of you and the client. You both download and install PGP (an encrpytion package) and each create your public and private keys. A public key can only be used to encrypt a message, and not decrypt it. You each share your public key. When they want to send mail to you, they use your public key to encrypt and send it to you. Then you use your private key, along with a password, to decrypt it. In many cases, the process is automated by special email client software.
http://www.pgp.com/
Can talk more about it. Does this help? I'd be happy to talk more about any related security-related topic if you like.
|
|
[08-17-2000] perfectsites : Hi Saintly ~
Thanks so much for your prompt reply. And I really appreciate the info on the self-signed certs. A few have suggested that, but knowing that the dreaded Netscape would question them caused me to dismiss that idea immediately. Due to the nature of the site (financial planning) we are asking for some very sensitive and personal information and want to be sure that the user is 100% assured of our security. And having NS question it would blow big holes in that plan!
So that was very crucial info ~ thanks. (And you are the only one that mentioned it!)
Ok, now about the pgp ~ does this only concern e-mail communications between myself and my client?
If so, it's not something I need right now, we are able to meet in person to discuss the site.
So, I guess it's an SSL cert from Thawte for me.
Thanks so very much for your time and advice. It is greatly appreciated. I hope if I have a question in the future you will be able and willing to help me again.
Best Regards, Shirley
p.s. Oh ~ since you offered ~ I keep reading the term 'Apache web server' in relation to security. I went to their site and to be perfectly honest, it was all way over my head and I came away not knowing any more than when I arrived! Would you be so kind as to explain exactly what it is, what function it provides and if it would be of benefit to me? Thanks!
|
|
[08-17-2000] saintly :
Yes, PGP is only for email between yourself and the client. Each person intending to use it has to set it up, but it's obviously not a popular pick. Nobody wants to ask clients to download and install software, rely on them to do it correctly and use it encrypt email communications...
Apache is a program that is designed to serve web pages. In order for clients to see web pages on a machine, it has to be running some sort of web server that reads the web pages off a disk and sends them to the browser (like Netscape) when the client asks. Microsoft provides one software package to do this, called IIS. There are a few other options, but far and away the most popular package for doing it is the free server software package called Apache. It is fast, reliable and easily extensible. Since it is the most popular, most other documentation describing web servers uses it as an example.
If you already have a host site, or you are using someone else's site or server to host your pages, then you do not need Apache (or the host site may already be running it).
Does that help explain Apache?
|
|
[08-17-2000] perfectsites : Hi Saintly ~
Yes, that was a big help! And I do already have my own domain hosted by my ISP and am hosting my client's site on my web space there. More than likely, my ISP already has Apache, so I'll just contact them to investigate further.
Thank you so much for taking the time to clarify that for me.
You have really been a great help and it is so nice of you to donate your advice like this ~ it's wonderful to know there's still cool people like you in the world.
Best Regards, Shirley
|
|
|
[08-17-2000] saintly : Always glad to help...
|
|
|
[08-20-2000] saintly : If you're through with this question however, you can close & rate it. That way it goes to the answer library for others to read if they have similar questions!
|
|
[08-21-2000] perfectsites : Sorry, I was just trying to have a bit of a life of my own and I took the weekend off ~ didn't even check the e-mail or I get sucked in again!! LOL!!
Thanks again for all your help!
Best Regards, Shirley
|
|
|
[08-22-2000] saintly : ?? Oh.. I'm sorry. I'm not completely sure how the user-end works. There should be a radio button that says 'close and rate this question' instead of 'reply'. If you click that, pick a rating and hit "submit", then this question goes to the answer library.
|
|
|