Protect Form info

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I have  a form where users enter their Social Security number and Date
of Birth. I was wondering if I need to request a certificate for SSL
on our Windows Web server so we can protect the information when it is
sent from the client to the server on the network? Is this something
where SSL is the best solution for protecting the transmission?

Re: Protect Form info

On Fri, 17 Aug 2007 02:33:06 +0200,  
Quoted text here. Click to load it

SSL is clearly a must have here. Self-signed is possible, doesn't create  
much trust though, so by all means buy one.

Rik Wasmus

Re: Protect Form info wrote:
Quoted text here. Click to load it

Re: Protect Form info wrote:
Quoted text here. Click to load it

Asking for SSN and not knowing about SSL.. very scary. It'd be
good to get up to speed on security long before you go
asking for personal information like that.

Unless it's tax, investment, or possibly health care related,
you shouldn't have any need for someone's SSN.  In those
cases, your company should have a plethora of security related
people that can help you make things as secure as possible,
if they don't then don't ask for the SSN.

Don't think that simply by adding SSL, you're secure, and
anyone providing that information to anyone else really
should question the need for them asking for it in the
first place.

Re: Protect Form info

don't then don't ask for the SSN.
Quoted text here. Click to load it

Thanks for the info.   What is more secure than using SSL?

Re: Protect Form info wrote:

Quoted text here. Click to load it

You are asking the wrong question.

Suppose I had a large sum of money I wanted to deliver to you. Suppose
for security reasons I put it in a lock box with a combination that only
you and I knew. Suppose after I handed you the lock box, you took the
box home and opened the box to count the money. What is keeping the
money secure while you are counting it? Where are you going to keep it?
If you keep it locked up, where will you keep the key?

What is keeping your users private data secure once it has arrived at
the server?

A few years ago I was bidding on an update to an ecommerce web site. I
found out that the original developer used SSL to protect credit card
numbers, then stored them unencrypted in an Access database with no
password in an easily guessable directory and easily guessable file
name. Anyone who guessed the file name could type the URL into their
browser and download all of the credit card numbers.

There is more involved with security than SSL.

Re: Protect Form info wrote:
Quoted text here. Click to load it
It wouldn't matter, because SSL is the secure communication protocol
that's built into browsers. Others aren't.

Re: Protect Form info

Quoted text here. Click to load it

Just stop doing that altogether. For many very well-discussed reasons,
you should just not ever hold, store, fold, spinlde or mutilate that
particular bit of information. Search for the arguments against doing
it before you even begin to ask how to do it.

If you should (and these reasons are very narrow), then you should
already be competent to do so, and your question indicates that you're

Site Timeline