Articles about secure email and secure internet techniques.
Secure Form Forwarding
In this article I am going to teach you how to forward a secure web form using pretty
good privacy (PGP) encryption without the need of SSL. This technique is as secure
as PGP secure email using state-of-the-art encryption technology.
Demo: Watch the secure email form
The Problem
You do not run any SSL secured web pages but want to make sure your customers can
contact you via a PGP secured webpage (contact page, order page, etc), without the
fear of being spied on. There are also cases where you want to offer PGP instead
of a SSL secured connection.
Remember: The average Joe does not know anything about encryption/decryption with
public/private keys. Do not bother your customer with technical details, instead
offer them a PGP secured solution which works in the background without any knowledge
about PGP.
What you need
Solution
The key to your problem is to encrypt all customer data before it is sent over the
Internet to your server. You can accomplish this with Javascript Encryption functions. Once all data is encrypted on the clients browser, your customers send
all data via a normal HTTP POST to your server where you decrypt it.
Step 1: Create Public/Private Key
In a first step you have to create a private/public keypair which is used
to encrypt the webform data on the client side and decrypt the data back to its original form on the web server. You can create PGP keys with GnuPG.
Step 2: Create Web Form
Now its time to create your web form where you ask your customer to input their data.
I created a simple test form which includes all Javascript you need to encrypt data.
Demo: Secure
Form Demo
Step 3: Server Side Decryption
Before you can start to decrypt on the server, you must install
GnuPG. Make sure you do not install GnuPG directly in your wwwroot. You
do not want a hacker to download your private key database!
You are also going to need a wrapper class from GnuPG. In case you run .NET you can use Terry's
GnuPG Wrapper
Once installed - GnuPG and the
GnuPG Wrapper - you can decrypt any encrypted form data send from your website
customers.
Security Issues
- make sure you do not accidentally submit your customer data in plain text. Before
you submit make sure that only encrypted is send to the server
- Install GnuPG inside a directory which can not be accessed from a web browser.
If you run ASP.NET on a shared server, copy GnuPG into your APP_DATA folder
|