Send emails securely via ASP

S

Saiyan Vejita

I've been working with ASP for 6+ years now, but in that time I've
never had any solid advice on how to build a secure system. So I
thought I'd ask here first.

Anyway, here's the situation: I have a client who wants to take credit
card information via ASP form (https) and then send the resulting
content (which may be either HTML- or text-formatted) to their email
account, which they access using Outlook (2000, I believe). I want to
build the system to make it as secure as is reasonably possible; at
the same time, they want to make it easy to read / retrieve their
signed/encrypted messages.

I know their are a lot of components out on the market that permit
programmatic encryption of data, but I don't know enough about what I
need to make an informed buying decision. I've heard that encrypting
the email content and then signing the entire message is the proper
thing to do, but how do I actually do that via code? And I definitely
don't understand how the message is handled once it reaches Outlook
(via POP, IMAP or Exchange -- they haven't decided on which yet).

My brain is full of things such as AES, MD5 + SHA-1, SSL, S/MIME and
such -- how do I put all these things together into an effective
solution? Any light ya'll can shed on this would be greatly
appreciated. Thanks in advance............



-=Tek Boy=-
 
R

Ray at

I don't necessarily have answers to your questions, but FWIW, when we did
the website at my company (a bank), e-mailing sensitive data was something
that we discussed with our security department and the OCC, and we all
agreed that it should simply not be done. All of our form data is retrieved
via an https admin area on the server, and no customer data is ever e-mailed
anywhere. It was all just simply to insecure to consider e-mailing.

Ray at work
 
T

Tek Boy

Believe me, I agree -- the more links in the chain, the more susceptible the
entire system is to being compromised. But I'm not making the business
decisions here, nor will I be held liable for any fallout stemming from
privacy violations. As such, all I can do is offer up informed
recommendations and do whatever they want done after-the-fact. It's this
scenario that I'm operating within.......... not ideal, just the way it has
to be.


-=Tek Boy=-
 
J

Jeff Cochran

I've been working with ASP for 6+ years now, but in that time I've
never had any solid advice on how to build a secure system. So I
thought I'd ask here first.

Anyway, here's the situation: I have a client who wants to take credit
card information via ASP form (https) and then send the resulting
content (which may be either HTML- or text-formatted) to their email
account, which they access using Outlook (2000, I believe). I want to
build the system to make it as secure as is reasonably possible; at
the same time, they want to make it easy to read / retrieve their
signed/encrypted messages.

I know their are a lot of components out on the market that permit
programmatic encryption of data, but I don't know enough about what I
need to make an informed buying decision. I've heard that encrypting
the email content and then signing the entire message is the proper
thing to do, but how do I actually do that via code? And I definitely
don't understand how the message is handled once it reaches Outlook
(via POP, IMAP or Exchange -- they haven't decided on which yet).

My brain is full of things such as AES, MD5 + SHA-1, SSL, S/MIME and
such -- how do I put all these things together into an effective
solution? Any light ya'll can shed on this would be greatly
appreciated. Thanks in advance............

Best bet (besides being a bit smarter and not doing it at all) might
be to look at PGP encryption components and add-ins. It's likely the
easiest to deal with on the receiving end.

Jeff
 
W

William Morris

Tek Boy said:
Believe me, I agree -- the more links in the chain, the more susceptible the
entire system is to being compromised. But I'm not making the business
decisions here, nor will I be held liable for any fallout stemming from
privacy violations.

Call me overly-paranoid, but don't count on that.
As such, all I can do is offer up informed
recommendations and do whatever they want done after-the-fact. It's this
scenario that I'm operating within.......... not ideal, just the way it has
to be.

Recommendations that you can be held liable for, even if you didn't make
them - i.e. sending private information via the least secure route possible.
Blue Cross Blue Shield here in KC needed a fall guy for a project one of the
managers caused to fail, and a good friend of mine got the axe.

CYA, tek boy.

- Wm
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,902
Latest member
Elena68X5

Latest Threads

Top