|
Posted by neutrino on April 28, 2006, 1:18 pm
Please log in for more thread options
having just read a posting from someone asking about - when recieving
email from web form to host site email, what was a secure way to
forward the ocasional one onto someone else....
it made me wonder---
when you recieve an email from your website form and it's sent ONLY to
your host site's email, and not forwarded anywhere - is this a secure
way of recieving confidential info' ? how IS web form email handled ?
is it not transmitted across the net to it's destination, but goes
direct from your web to the host email server - no chance of being
intercepted? could this be an easy way of recieving confidential info?
specially if you only access and read it by logging into your host
site, and do not forward it anywhere?
Curious.
|
|
Posted by William Tasso on April 28, 2006, 2:42 pm
Please log in for more thread options
Fleeing from the madness of the schestowitz.com / MCC / Manchester
University jungle
news:alt.www.webmaster
and said:
show/hide quoted text
> ...
> If I understand your correctly, you want form E-mails to originate on the
> host's domain and remain there only for yourself and your host to have
> access to. I believe you will be on the safe side because messages sent
> to
> one's own domain do not hop onto third parties daemons. They are being
> delivered directly to the local box.
One shouldn't rely on that as gospel - in fact this is a very inneficient
configuration. Mail should live on a mail server allowing the web
server(s) to get on with the task of serving web documents. However, it
is unlikely [*]that anyone except the host/isp/admin will be able to
intercept packets running between the two servers.
[*] meaning one shouldn't rely on this either. when it comes to
security/confidentiality ... assume nothing.
--
William Tasso
http://williamtasso.com/words/what-is-usenet.asp
|
|
Posted by neutrino on April 29, 2006, 8:03 am
Please log in for more thread options Yes that's what I mean -"E-mails to originate on the
show/hide quoted text
> host's domain and remain there only for yourself and your host to have
> access to".
a visitor completes an email form on the web site, and it's delivered
to the host domain email,
and not forwarded - only accessable to be read when the site owner logs
into the host domain
and accesses the email, and whatever info is to be taken from the
emails recieved - could be copy/pasted into
a Word or excel report on their Pc, to store the info', therefore th
ethinking behind this is that the email recieved
would not have been sent across the net, and therefore would be a
secure method of recieving the info,
even if not an "official" way of saying so - but nevertheless should be
a secure way of recieving,
since the security issue comes into play when email is transmitted from
place to place.
|
|
Posted by hug on April 29, 2006, 8:27 am
Please log in for more thread options
show/hide quoted text
>Yes that's what I mean -"E-mails to originate on the
>> host's domain and remain there only for yourself and your host to have
>> access to".
>a visitor completes an email form on the web site, and it's delivered
>to the host domain email,
>and not forwarded - only accessable to be read when the site owner logs
>into the host domain
>and accesses the email, and whatever info is to be taken from the
>emails recieved - could be copy/pasted into
>a Word or excel report on their Pc, to store the info', therefore th
>ethinking behind this is that the email recieved
>would not have been sent across the net, and therefore would be a
>secure method of recieving the info,
>even if not an "official" way of saying so - but nevertheless should be
>a secure way of recieving,
>since the security issue comes into play when email is transmitted from
>place to place.
If your web-based email form doesn't check for things like newlines,
even though you think you are sending it only to yourself you could
also be acting as a spam relay.
As Roy mentioned, there are times when encryption is the only good
solution.
However, if you want a solution as secure or more secure than
encryption in this particualr case, you might consider changing the
way your email-to-self is handled. Instead of sending it through the
mail system, just write its contents to a file on your server. That
way the admin can look it and nobody else can assuming your file
permissions are sufficiently restrictive.
--
http://www.ren-prod-inc.com/hug_soft/store.php?action=contact
|
|
Posted by Roy Schestowitz on April 29, 2006, 12:11 pm
Please log in for more thread options __/ [ hug ] on Saturday 29 April 2006 13:27 \__
show/hide quoted text
>
>>Yes that's what I mean -"E-mails to originate on the
>>> host's domain and remain there only for yourself and your host to have
>>> access to".
>>a visitor completes an email form on the web site, and it's delivered
>>to the host domain email,
>>and not forwarded - only accessable to be read when the site owner logs
>>into the host domain
>>and accesses the email, and whatever info is to be taken from the
>>emails recieved - could be copy/pasted into
>>a Word or excel report on their Pc, to store the info', therefore th
>>ethinking behind this is that the email recieved
>>would not have been sent across the net, and therefore would be a
>>secure method of recieving the info,
>>even if not an "official" way of saying so - but nevertheless should be
>>a secure way of recieving,
>>since the security issue comes into play when email is transmitted from
>>place to place.
>
> If your web-based email form doesn't check for things like newlines,
> even though you think you are sending it only to yourself you could
> also be acting as a spam relay.
>
> As Roy mentioned, there are times when encryption is the only good
> solution.
>
> However, if you want a solution as secure or more secure than
> encryption in this particualr case, you might consider changing the
> way your email-to-self is handled. Instead of sending it through the
> mail system, just write its contents to a file on your server. That
> way the admin can look it and nobody else can assuming your file
> permissions are sufficiently restrictive.
I imagine that the OP is BCC'ing the messages to self. I may be wrong or
presumptuous because I BCC all messages to myself, which makes me inclined
to think along these lines.
Writing to file is both laborious and an unorganised way of handling
information. Encryption to self would work wonders. I recommend PGP, which
is free and robust. The best practice is to never include sensitive
information in E-mail. E-mail is unpredictable and not secure. It's like FTP
or HTTP. Because some clueless sites post passwords in plain text, I made
the habit of choosing separate, simpler passwords for third-parties,
so-called 'Mickey Mouse' services. Never remain too uniform security-wise,
e.g. sticking with similar passwords for your Web site and Digg. Script
kiddies can sniff packets.
Best wishes,
Roy
--
Roy S. Schestowitz | Software patents destroy innovation
http://Schestowitz.com | SuSE Linux ¦ PGP-Key: 0x74572E8E
5:05pm up 2 days 0:10, 13 users, load average: 0.25, 0.70, 0.71
http://iuron.com - Open Source knowledge engine project
|
| Similar Threads | Posted | | Host my Email Server via Comcast's ISP | February 16, 2005, 1:36 am |
| Secure html email forms | September 8, 2006, 4:52 pm |
| Email form | October 28, 2005, 5:36 am |
| how was this done with my email form? hacker? | September 10, 2005, 11:36 pm |
| HTML Email Form - PLEASE HELP!!! | May 22, 2006, 8:54 am |
| PHP Email form security | May 24, 2006, 6:12 am |
| Email form formatting problems | March 22, 2006, 5:21 pm |
| Need advice on email form security. | October 8, 2006, 2:05 pm |
| submit email through a html form using ssi | February 24, 2007, 11:21 am |
| OT: Looking For An eMail Host | May 17, 2007, 9:38 pm |
|
XML Sitemap
> If I understand your correctly, you want form E-mails to originate on the
> host's domain and remain there only for yourself and your host to have
> access to. I believe you will be on the safe side because messages sent
> to
> one's own domain do not hop onto third parties daemons. They are being
> delivered directly to the local box.