Send emails securely via ASP

Discussion in 'ASP General' started by Saiyan Vejita, Nov 21, 2003.

  1. I've been working with ASP for 6+ years now, but in that time I've
    never had any solid advice on how to build a secure system. So I
    thought I'd ask here first.

    Anyway, here's the situation: I have a client who wants to take credit
    card information via ASP form (https) and then send the resulting
    content (which may be either HTML- or text-formatted) to their email
    account, which they access using Outlook (2000, I believe). I want to
    build the system to make it as secure as is reasonably possible; at
    the same time, they want to make it easy to read / retrieve their
    signed/encrypted messages.

    I know their are a lot of components out on the market that permit
    programmatic encryption of data, but I don't know enough about what I
    need to make an informed buying decision. I've heard that encrypting
    the email content and then signing the entire message is the proper
    thing to do, but how do I actually do that via code? And I definitely
    don't understand how the message is handled once it reaches Outlook
    (via POP, IMAP or Exchange -- they haven't decided on which yet).

    My brain is full of things such as AES, MD5 + SHA-1, SSL, S/MIME and
    such -- how do I put all these things together into an effective
    solution? Any light ya'll can shed on this would be greatly
    appreciated. Thanks in advance............



    -=Tek Boy=-
     
    Saiyan Vejita, Nov 21, 2003
    #1
    1. Advertising

  2. Saiyan Vejita

    Ray at Guest

    I don't necessarily have answers to your questions, but FWIW, when we did
    the website at my company (a bank), e-mailing sensitive data was something
    that we discussed with our security department and the OCC, and we all
    agreed that it should simply not be done. All of our form data is retrieved
    via an https admin area on the server, and no customer data is ever e-mailed
    anywhere. It was all just simply to insecure to consider e-mailing.

    Ray at work


    "Saiyan Vejita" <> wrote in message
    news:...
    > I've been working with ASP for 6+ years now, but in that time I've
    > never had any solid advice on how to build a secure system. So I
    > thought I'd ask here first.
    >
    > Anyway, here's the situation: I have a client who wants to take credit
    > card information via ASP form (https) and then send the resulting
    > content (which may be either HTML- or text-formatted) to their email
    > account, which they access using Outlook (2000, I believe). I want to
    > build the system to make it as secure as is reasonably possible; at
    > the same time, they want to make it easy to read / retrieve their
    > signed/encrypted messages.
    >
    > I know their are a lot of components out on the market that permit
    > programmatic encryption of data, but I don't know enough about what I
    > need to make an informed buying decision. I've heard that encrypting
    > the email content and then signing the entire message is the proper
    > thing to do, but how do I actually do that via code? And I definitely
    > don't understand how the message is handled once it reaches Outlook
    > (via POP, IMAP or Exchange -- they haven't decided on which yet).
    >
    > My brain is full of things such as AES, MD5 + SHA-1, SSL, S/MIME and
    > such -- how do I put all these things together into an effective
    > solution? Any light ya'll can shed on this would be greatly
    > appreciated. Thanks in advance............
    >
    >
    >
    > -=Tek Boy=-
     
    Ray at, Nov 21, 2003
    #2
    1. Advertising

  3. Saiyan Vejita

    Tek Boy Guest

    Believe me, I agree -- the more links in the chain, the more susceptible the
    entire system is to being compromised. But I'm not making the business
    decisions here, nor will I be held liable for any fallout stemming from
    privacy violations. As such, all I can do is offer up informed
    recommendations and do whatever they want done after-the-fact. It's this
    scenario that I'm operating within.......... not ideal, just the way it has
    to be.


    -=Tek Boy=-


    "Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
    news:uzI$%...
    > I don't necessarily have answers to your questions, but FWIW, when we did
    > the website at my company (a bank), e-mailing sensitive data was something
    > that we discussed with our security department and the OCC, and we all
    > agreed that it should simply not be done. All of our form data is

    retrieved
    > via an https admin area on the server, and no customer data is ever

    e-mailed
    > anywhere. It was all just simply to insecure to consider e-mailing.
    >
    > Ray at work
    >
    >
    > "Saiyan Vejita" <> wrote in message
    > news:...
    > > I've been working with ASP for 6+ years now, but in that time I've
    > > never had any solid advice on how to build a secure system. So I
    > > thought I'd ask here first.
    > >
    > > Anyway, here's the situation: I have a client who wants to take credit
    > > card information via ASP form (https) and then send the resulting
    > > content (which may be either HTML- or text-formatted) to their email
    > > account, which they access using Outlook (2000, I believe). I want to
    > > build the system to make it as secure as is reasonably possible; at
    > > the same time, they want to make it easy to read / retrieve their
    > > signed/encrypted messages.
    > >
    > > I know their are a lot of components out on the market that permit
    > > programmatic encryption of data, but I don't know enough about what I
    > > need to make an informed buying decision. I've heard that encrypting
    > > the email content and then signing the entire message is the proper
    > > thing to do, but how do I actually do that via code? And I definitely
    > > don't understand how the message is handled once it reaches Outlook
    > > (via POP, IMAP or Exchange -- they haven't decided on which yet).
    > >
    > > My brain is full of things such as AES, MD5 + SHA-1, SSL, S/MIME and
    > > such -- how do I put all these things together into an effective
    > > solution? Any light ya'll can shed on this would be greatly
    > > appreciated. Thanks in advance............
    > >
    > >
    > >
    > > -=Tek Boy=-

    >
    >
     
    Tek Boy, Nov 21, 2003
    #3
  4. Saiyan Vejita

    Jeff Cochran Guest

    On 21 Nov 2003 06:59:16 -0800, (Saiyan
    Vejita) wrote:

    >I've been working with ASP for 6+ years now, but in that time I've
    >never had any solid advice on how to build a secure system. So I
    >thought I'd ask here first.
    >
    >Anyway, here's the situation: I have a client who wants to take credit
    >card information via ASP form (https) and then send the resulting
    >content (which may be either HTML- or text-formatted) to their email
    >account, which they access using Outlook (2000, I believe). I want to
    >build the system to make it as secure as is reasonably possible; at
    >the same time, they want to make it easy to read / retrieve their
    >signed/encrypted messages.
    >
    >I know their are a lot of components out on the market that permit
    >programmatic encryption of data, but I don't know enough about what I
    >need to make an informed buying decision. I've heard that encrypting
    >the email content and then signing the entire message is the proper
    >thing to do, but how do I actually do that via code? And I definitely
    >don't understand how the message is handled once it reaches Outlook
    >(via POP, IMAP or Exchange -- they haven't decided on which yet).
    >
    >My brain is full of things such as AES, MD5 + SHA-1, SSL, S/MIME and
    >such -- how do I put all these things together into an effective
    >solution? Any light ya'll can shed on this would be greatly
    >appreciated. Thanks in advance............


    Best bet (besides being a bit smarter and not doing it at all) might
    be to look at PGP encryption components and add-ins. It's likely the
    easiest to deal with on the receiving end.

    Jeff
     
    Jeff Cochran, Nov 21, 2003
    #4
  5. "Tek Boy" <> wrote in message
    news:...
    > Believe me, I agree -- the more links in the chain, the more susceptible

    the
    > entire system is to being compromised. But I'm not making the business
    > decisions here, nor will I be held liable for any fallout stemming from
    > privacy violations.


    Call me overly-paranoid, but don't count on that.

    > As such, all I can do is offer up informed
    > recommendations and do whatever they want done after-the-fact. It's this
    > scenario that I'm operating within.......... not ideal, just the way it

    has
    > to be.


    Recommendations that you can be held liable for, even if you didn't make
    them - i.e. sending private information via the least secure route possible.
    Blue Cross Blue Shield here in KC needed a fall guy for a project one of the
    managers caused to fail, and a good friend of mine got the axe.

    CYA, tek boy.

    - Wm
     
    William Morris, Nov 21, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. farhan wajahat

    how to send emails via aspx

    farhan wajahat, Jan 10, 2005, in forum: ASP .Net
    Replies:
    7
    Views:
    593
    Random
    May 12, 2005
  2. Replies:
    40
    Views:
    3,462
    Steve Holden
    Dec 27, 2004
  3. Lenard Lindstrom
    Replies:
    3
    Views:
    569
  4. =?Utf-8?B?RGFuaWVsIERpIFZpdGE=?=

    Send credentials/user information accross applcations securely?

    =?Utf-8?B?RGFuaWVsIERpIFZpdGE=?=, Sep 11, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    490
    =?Utf-8?B?RGFuaWVsIERpIFZpdGE=?=
    Sep 11, 2006
  5. Replies:
    1
    Views:
    512
    Mark Rae
    Feb 13, 2007
Loading...

Share This Page