Thread: Secure sites

    #1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2000
    Posts
    70
    Rep Power
    14
    I see many web sites with pages , eg CC detail forms, within a SSL secure site server but clearly without any encrypting such as PGP. Does this offer any protection?
  2. #2
  3. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    Does your browser display the locked padlock icon? If so, then it is secure. Just because you can't see the encryption doesn't mean it isn't happening.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2000
    Posts
    70
    Rep Power
    14

    But can't see public key


    Thanks for taking the time to reply, Rod. If I look at the source code for some pages offering 'a secure site' I cannot see reference to any Public Key. I myself have pages using PGP and the Public Key is visable via View | Source.

    I can also have a 'standard' html form that sends info from a web page that is on a Secure Server - where I can see the Padlock - but this info is not encrypted.

    Surely the latter does not offer any/much protection?
  6. #4
  7. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    You don't need to 'see' the keys, they're there.

    The en/de cryption is handled by the server and the browser in the background.

    When an https connection is first established the browser and client exchange public keys. (A little more complicated than that but you get the idea).

    When the server sends content it first encrypts the data with the clients public key which is then decrypted by the client and the content is displayed. (you never see the keys or the encrypted content). When the client sends a request (including any form data you might have submitted) the data is first encrypted by the client with the servers public key. Again, you won't see the encrypted data being sent or the key it is encryted with.

    This is extremely secure.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    Apache with SSL encrypts the connection (the session) between you and the server. If Apache supposes to launch sendmail to send something to you, the transmission between smtpd to your mail server is not. Does this answer your question?
  10. #6
  11. No Profile Picture
    Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2000
    Location
    Galway, Ireland
    Posts
    10
    Rep Power
    0
    There is a lot of this ppl branding their sites as secure just because the data from the form to server takes place over a SSL then is emailed to a admin.
    The email part is insecure. As you said it must be PGP or something equivalent to do the job.

    But what is commonly done is the data is stored in the database and only a notice email is sent to the admin with no private info.

    Admin then logs in securely over an SSL and reads the data.

    Hope this helps

    --cj
  12. #7
  13. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    You guys are right. It never occured to me tht someone might actually send a plain email containing the data they just received over a secure server. SHEESH, scary what some people do.

IMN logo majestic logo threadwatch logo seochat tools logo