Question : Secure Web Form and SSL

Hi,

I'm not a programmer by any means and have limited knowledge. I've created a web form for students to enroll in training courses. I didn't use formmail so don't have any built-in security other than the server-side validation I included (used perl).
Once submitted, the form creates a verification page and sends an email to myself and to the student. I currently have the form in a protected directory while I'm working on it. There is no personal information required on the form other than names and email addresses. Having read about form hijacking, form spam and possible programming solutions that may or may not work, I think that an SSL is what I need. My web host offers an SSL and it looks simple to implement through their interface. Does this sound like the appropriate tactic?

I have a few questions about an SSL. I've read up on it but just don't know enough to have it all make sense yet. When it's applied, does it span only one web page or will it work for multiple pages in the domain (multiple forms on different pages)? The related thread mentioned that email from a secure SSL form should be sent to an email address on the web host. If I had confirmation emails sent to email addresses outside of the web host, would the email and its contents still be vulnerable to attack?
I'd appreciate any advice.
Thanks,
Karen

Answer : Secure Web Form and SSL

When you install an SSL certificate on a web server, it typically applies at least domain wide. It would be a parculiar scenario for the SSL certificate to not be applied to an entire domain, and just specific pages.

There are also "wildcard" certificates, which can be applied to any number of sub domains as well, but these are typically more expensive. (ex: one.domain.com, two.domain.com, three.domain.com all covered by a single *.domain.com wildcard SSL certificate)

Installing an SSL certificate only protects the data as it goes 'over the wire" from being snooped upon. SSL does not necessarily protect you from form spam, cross-site scripting attackes, etc. Those latter methods need to be handled at the programing / application level most typically, or through some sort of web security proxy or server configuration.

You might start with researching cross-site scripting and cross site forgery attack methods. Here are two links to get you started:

http://en.wikipedia.org/wiki/Cross-site_request_forgery
http://en.wikipedia.org/wiki/Cross_site_scripting

You might also considering posting a question on EE on how to better secure your forms from spamming, etc, and post it in a topic specific to the type of web language you are using.

If the e-mail is sent through the internet as unencrypted clear text, it can be read by any of the servers and other computers on the network path it travels through to get to its destination. The old analogy is that this is equivalent to sending a postcard. Anyone who touches or is in close enough vicinity can read the message contents.

While I'm not familiar with the company who sponsored this white-paper, the details should give you some good additional information:
http://www.slideshare.net/Echoworx/critical-need-for-encrypted-email-and-file-transfer-solutions

Random Solutions

BT Broadband With Netgear DG834G

Fault tolerence

Export Gmail groups to text file

Test if SMTP is blocked from Workstation to Internet

CCME GUI is not working - Error ITSMain

Using NETDOM to rename PC, User Name cannot be found

Cisco Catalyst 3548-XL Dead in the water

ping failing on 2nd hop

Certification Authority