GeodSoft logo   GeodSoft

Secure Sockets Layer (SSL)

Nearly all web users are familiar with "secure" sites where the browser's security indicator comes on (Internet Explorer's broken key is made whole or the Netscape's lock is closed) when a Secure Sockets Layer (SSL) connection has been established. Knowledgeable web users know that the information they are sending to the web server is encrypted. It's imperative that all organizations that have SSL enabled web sites understand that this only provides protection for the transmissions between the web browser and the web server by encrypting the information that is being passed between them.

Use of SSL has the effect of raising the web user's expectations that their information will be handled in a responsible manner once it is received by the web server. The user can not and should not know how his or her sensitive information is being handled; if they did, intruders would also know. Though the user cannot know how their data is being handled, organizations that use SSL have a greater responsibility to handle data collected via SSL connections in a responsible manner wherever that data is stored and however it is transmitted between systems.

Once the information, including credit card information is transmitted to the web server, it is entirely up to the organization that runs the web site to ensure that this information is handled in an appropriate manner. Most small organizations, and the large majority of associations are small organizations, do not host their own web sites but rather use a web hosting service.

At best it's misleading to use SSL between a browser and a web server and then to transfer or store the same data at any subsequent step in a less secure manner. This is a point that is often overlooked when considering outsourcing services. If you process data collected via SSL connections, then the outsourcing web provider (or your own site if you self host), any systems that this data is passed to and the connections between them should implement security commensurate with that provided by SSL.

A common feature provided by web hosting services is a simple standard interface that allows any web form to be turned into an e-mail. This makes it very simple to create web forms whose contents are e-mailed to association staff who then key the information into the appropriate system. It is almost guaranteed that such e-mail transmissions will not be encrypted and the contents of the web form, including credit card numbers, will be transmitted across the Internet in plain text.

Though the odds of this information actually falling into the wrong hands is fairly small, technically this information is available to the network staff of any mail servers the e-mail message passes through as well as to anyone who can put a sniffer on any network segment through which the e-mail passes. The original browser to web site transmission would have been only slightly more secure without the SSL encryption. Don't put a security facade over the part of the system the customer or member sees and neglect the rest of the system.

Besides e-mail, responsible handling of data collected via SSL would rule out using FTP transfers to move that data back to your systems, unless the data were encrypted prior to the FTP, as standard FTP includes no encryption. If you are sure that the e- mail is encrypted with PGP or SMIME using a key length no shorter than SSL (typically 128 bits for domestic transmissions and 40 bits for international transmissions) this should be an acceptable delivery method. Likewise if data is encrypted by a third party product at least as strong as SSL and subsequently decrypted after being delivered to a secure part of your LAN, then FTP transfers are probably acceptable. Such a tranfer is probably secure but the use of ordinary FTP raises the question or whether the site itself is secure. Transmissions through Secure FTP or tunneled SSH (Secure Shell) should be adequate.

Sensitive data such as credit card numbers should be stored as well as transmitted in a secure fashion. Systems on which such data is stored should be behind a firewall and make use of strong passwords. Access to files, directories and application systems that use this data should be restricted to those staff who need access to do their jobs. Backups and other administrative procedures should not expose such data to unauthorized access; for example unencrypted backups should not be stored at insecure off-site facilities. At a hosted site, an association is implicitly applying the same level of trust to the hosting staff as they do to their own technology staff. Unless all data is encrypted using keys to which the association and not the hosting staff have access to, the hosting staff, as system administrators, have unlimited access to all data stored on the hosted servers.

Unless precautions such as those described above are used, if any user's credit card information or other sensitive data does happen to be compromised, that user could reasonably claim that the organization with the SSL web site used deceptive practices because they knew or should have known that subsequent transmissions and data handling were not comparably protected. The damage to your reputation is likely to be greater than if your site had made no pretense at being secure. Establishing an SSL web site and then subsequently transmitting information collected at that site via less secure methods might also increase your legal liabilities.

transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

 
Home >
Book >
Security >
ssl.htm


What's New
How-To
Opinion
Book
                                       
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.