deadlock Message Board
[ November Full List | Reply ]

Re: Secure order forms
From Jim on 29 November '98
replying to Secure order forms posted by Andy

>Just been looking at the secure order form service offered by this
>site. Once the secure server has taken the order it mails it to my
>mailbox. Which I then collect at my leisure. Where is the security
>in this, my mailbox is not on a secure server neither do I use a
>secure connection to log on? If this was a secure order form service
>I would expect to log on the secure server and collect my orders in
>a secure enviroment. But we all know that the Internet is the safest
>way of taking credit orders anyway.

I often get asked this. SSL security makes the connection between the
browser and the server secure for the length of the session. Once you've
placed your order (on ANY secure form) the card details go "somewhere".
The SSL security finishes at that point.

So, in order to maintain your "security", you have to maintain encryption
while the details are stored, waiting for you to pick them up. SSL
cannot do this job because it only maintains a "secure environment"
during the session - it encrypts data "on the fly" but it does not
permanently encrypt data while in storage. In other words, it's the
*connecton* that's secure, not the server itself.

If you like, I can set up a password-protected area where you can retrieve
your orders from (some customers ask for this) and yes, I can even
make it SSL secure for you, although both of these methods are really
quite pointless because a) as I said before, you can get a 'secure' page
with or without the SSL encryption, it's the user's choice, and b) your
own mailbox is already password-protected, the same as the password-
protected area. It makes no difference.

Now, there IS a way to maintain the security, and that's to PGP-encrypt
the mail. That would do the job. But do you have a PGP public key for
me to use? Well, do you...?

By the way, if you order anything from this site, you'll be pleased to hear
that your order WILL be PGP-encrypted to me - here's my key:

http://deadlock.com/key-jim.asc

Answer me honestly: would most people care, or even understand if I told
them about this?

Here's the short answer to your question:

The purpose of a secure form is to convince users to enter their card
details. The only thing users are looking for is the closed padlock
(in Netscape 4 & MSIE, or horizontal blue line in N3). They neither
know nor care about anything else.



Replies from other people:


Reply to this message

Required Details
Your name:
Subject:

Optional Details
Home page title:
Home page URL:
Email:
(if you'd like to receive
automatic replies by email)

Your Message