I am looking at using my site to collect customer information/orders. So I need an ssl certificate, and i want to send theses informations to my email (by a secured way). Can someone point me in the right direction ?
wheel
2:40 pm on Aug 17, 2011 (gmt 0)
You're looking at two processes. From the client to your webserver, that happens encrypted if you have an ssl certificate and you're running on an htts connection. See your web hosting company for that setup.
Once the info lands on your webserver though, it's unencrypted. Now you've got a problem. If you store it in a database, that database is prone to hacking. If you immediately email it to yourself through some type of form to email program, your email is unencrypted and readable. So you need to somehow encrypt email - that is possible but I've always found it a real pita whenever I looked at it.
I'm doing something similiar, I'm forcing the information from a form to an offsite location via a second ssl connection where it is then printed - basically taken offline. So it goes from client's computer to my webserver via ssl, then from webserver to offsite computer via ssl, to a printer.
That could potentially still be hacked (say info stays in memory or something. And that's probably not the path you want - but it's the type of considerations you'll need to work through. There's different options, I'm doing one (and probably not one that's even commonly used).
rocknbil
3:36 pm on Aug 17, 2011 (gmt 0)
and i want to send theses informations to my email (by a secured way).
If these "informations" are credit card or other sensitive info, don't even consider this.
There is really only one "secure" way - to set up public/private keys for the server and recipient email. It's extremely complicated and still has all sorts of holes - including the security of the recipient computer. Then you are still liable for PCI compliance of your site.
The other implication here, if it is credit card info, is that you have an offline credit card processing method, such as an in-store terminal, and are attempting to collect orders via the Internet and process them through that account. If this is true, most of the agreements for those specifically disallow orders collected on the Internet and are for card present or phone in orders only. If you get caught, you'll be liable for all of the transactions processed that violate your contract as well as fines that can exceed $30K. It's a *big deal.*
The "right" way to do is is post to a credit card processor gateway (or a service like payPal) and never even see the credit card info. This will still give you all you need to process orders.
akerman
6:15 pm on Aug 17, 2011 (gmt 0)
If you search google for "secure credit card form" you will find a page from cryptoheaven with step-by-step details how to make the change in your html code to securely "post" using ssl (https) protocol the form's content into an encrypted storage account. The change is very simple, usually only 1 line of code. This requires a small account with CryptoHeaven and all your forms will be stored securely and accessible to you online in your secure email area. Using this will also eliminate the need to purchase your own ssl certificate.
waoh. Big thank you for taking ime to answer my question. All three answer are very interestings, and i will also consider the legal issues of my project.
