March 8th, 2001, 03:56 PM
I see many web sites with pages , eg CC detail forms, within a SSL secure site server but clearly without any encrypting such as PGP. Does this offer any protection?
March 8th, 2001, 06:36 PM
Does your browser display the locked padlock icon? If so, then it is secure. Just because you can't see the encryption doesn't mean it isn't happening.
March 12th, 2001, 10:55 AM
But can't see public key
Thanks for taking the time to reply, Rod. If I look at the source code for some pages offering 'a secure site' I cannot see reference to any Public Key. I myself have pages using PGP and the Public Key is visable via View | Source.
I can also have a 'standard' html form that sends info from a web page that is on a Secure Server - where I can see the Padlock - but this info is not encrypted.
Surely the latter does not offer any/much protection?
March 12th, 2001, 11:42 AM
You don't need to 'see' the keys, they're there.
The en/de cryption is handled by the server and the browser in the background.
When an https connection is first established the browser and client exchange public keys. (A little more complicated than that but you get the idea).
When the server sends content it first encrypts the data with the clients public key which is then decrypted by the client and the content is displayed. (you never see the keys or the encrypted content). When the client sends a request (including any form data you might have submitted) the data is first encrypted by the client with the servers public key. Again, you won't see the encrypted data being sent or the key it is encryted with.
This is extremely secure.
March 12th, 2001, 11:46 AM
Apache with SSL encrypts the connection (the session) between you and the server. If Apache supposes to launch sendmail to send something to you, the transmission between smtpd to your mail server is not. Does this answer your question?
March 14th, 2001, 08:05 AM
There is a lot of this ppl branding their sites as secure just because the data from the form to server takes place over a SSL then is emailed to a admin.
The email part is insecure. As you said it must be PGP or something equivalent to do the job.
But what is commonly done is the data is stored in the database and only a notice email is sent to the admin with no private info.
Admin then logs in securely over an SSL and reads the data.
Hope this helps
March 15th, 2001, 04:48 PM
You guys are right. It never occured to me tht someone might actually send a plain email containing the data they just received over a secure server. SHEESH, scary what some people do.