Print

Print


On Thu, 9 Jan 2003, John Sama wrote:

> Great question. I'm curious about the answer to this as well.  I've
> designed what I think is a "secure" Webform, but I'm concerned that in
> its travels through the e-mail system it loses its "secureness" (if
> that's even a word!)

Using an address like http://www.uvm.edu/something/ isn't secure at all.
All traffic sent between the web servers and the end users is unencrypted,
and not that hard for someone to intercept.

http is fine for web browsing, but not OK for transmitting secure
information.  Using an address like https://www.uvm.edu/sometime/ is very
much more secure.  Adding the S in https tells the browser and server to
communicate using SSL, which does a 128-bit encryption of all traffic
sent.

So, using https://www.uvm.edu/something/ is already significantly
more secure than your current page.

From there, it's reasonably secure to have the data emailed to your
account, if you do a few things.  The connection between the web servers
and the email servers is in a well secured network, so that data
transmition is reasonably secure.  You should read your email using secure
protocols.  If you use pine, ssh to zoo instead of telneting.  Webmail
forces secure access.  If you use a desktop client like
Eudora/Netscape/Outlook, use secure pops or imaps instead of regular pop
or imap.  Those protocols also encrypt traffic.  Information about
configuring your clients for secure mail access is available at
http://www.uvm.edu/cit/email/

In the ideal world, you'd have your webform encrypt the data with a
public key before emailing it, and then only you'd be able to decrypt the
data using your private key.  That requires you to understand
public/private key technology, and install additional software on your
machine, and have reasonable programming skills.  Not for everyone, but
one of the most secure options.

You could also look into storing the information in a mysql database, as
long as you took care to hide the database connect username and password.

Given all that, if you use https, and secure mail access methods, it's
a reasonably secure solution.

The data in a user's UVM email account is as secure as the choices the
user makes.  Connect with the encrypting services (at some point within
the next year, many of the unencrypting services will be turned off, and
people will need to connect securely).  Don't leave your computer logged
into email and walk away from your computer without locking the screen.
Pick a good password, and change it every so often.  Don't share your
password with anyone, ever.  If you follow good practices, the data in
your email account can be very secure.

mga.

> At 03:46 PM 1/9/2003 -0500, you wrote:
> >
> > Could you tell me how secure information would be, were it sent from a
> > form
> > I created to my email?  Like at
> > http://www.uvm.edu/~irisx/irisxReg.html or
> > http://www.uvm.edu/~helix/WISapp.html ??
> > I can make the forms, etc...but is it safe to use them to get people's
> > credit card numbers for a chemistry conference?
> >
> > Best,
> > Trav
> >
> > At 03:18 PM 1/9/2003 -0500, you wrote:
> >> On Thu, 9 Jan 2003, Dean Williams wrote:
> >>
> >> > The Footprints problem tracking application is currently down.
> >> CIT's
> >> > Technical Support Group is working to bring it back up as quickly as
> >> > possible.  I guess this means no one will experience any computing
> >> > problems for a little while.
> >>
> >> People can start having problems again.  Footprints is back on-line.
> >>
> >> mga.
> >
> > Travis S. Delaney
> > Information Technologist
> > HELiX/EPSCoR Programs
> > 216 Marsh Life Science
> > University of Vermont
> > (802)656-9477
>
>
>
> =-=-=-=-=-=-=-=-=-=-=-=
> John L. Sama
> Assistant Director, Living/Learning Center
> University of Vermont, Burlington VT  05405-0384
> Phone: (802) 656-4200
> Fax: (802) 656-0812
> http://www.uvm.edu/~llcenter
>

Mike Austin                           Computing & Information Technology
Systems Programmer                    The University of Vermont
UNIX/DCE Sys Admin                    802.656.8785