Return CGI Library
We have a secure server (several actually).
It's easy to use, as there really isn't anything special about it
other than the fact that all communications between the server software
and the browser are encrypted... which means that your CGI and HTMLs
behave the same as normal...
The BIG gotcha is the digital server ID.
(See below for a work around.)
The other gotcha is handling the information you received securely.
Digital Server IDs:
Netscape checks to make sure that the server's certificate and
the URL match. Which means that virtual servers each need their own
server-ID certificate from a recognized certificate authority (CA).
Verisign.com,
and Thawte.com)
were the first two big CAs, then Verisign bought Thawte :-(.
BareMetal resells the GeoTrust.com
"True BusinessID" product.
Digital IDs are not cheap... (prices are in US dollars.)
The Thawte certificates are currently (Dec 2002) $199 for the
first year, and $159 per year after. Verisign Certificates are
much more expensive being $349 for the first year and $249 per
year afterward. We can sell the GeoTrust product for $150/yr.
Which is better?
From an encryption point of view, they are all the same.
Verisign has been around longer, so it's accepted by more of the older
browsers as a valid certificate authority. GeoTrust
is a newer player, with "only" 98% of the browsers in common use
automatically recognizing their certificates (even Verisign and Thawte
can't quite claim 100%, their original CA root certificates
have expired, and very old browsers won't recognize their certs
anymore.) [p.s. The GeoTrust QuickSSL ids are different, and
not as widely recognized.]
If you are curious about digital IDs, your browser should show you
a "locked" icon when you visit a secure page
like
https://swww.baremetal.com/baremetal/ . If you click on that icon
it should show you the details of the digital ID.
Alternative:
The way around this is to put your pages under OUR digital ID.
e.g Keep the secure areas of your site to a small
number of pages and use a URL like
https://secure.baremetal.com/yourcompany/page.html for those pages.
Handling Data Securely
OK, so the secure server software encrypts the data as it gets transfered
from the visitors web browser to the server... now what?
Our recommendation is to use a program like
PGP to encrypt sensitive data as soon
as it's received. At that point you can either save the encrypted
data to a file or mail it to yourself. The
mail2 gadget understands how to combine templates and PGP.
Of course you can do whatever you like with the data. But
it sort of defeats the purpose of using a secure server if you don't
handle the data appropriately.
So, how do you PGP encrypt your data? Easy, the
mail2 gadget will PGP encode the data
between <PGP> ... </PGP> tags in any templates you use.
(
PGP part of the mail2 docs. )
Or you if you don't want to use a template, you can use the
pgpmail gadget, which behaves just like the
old formmail gadget but change the
action tag to be /ssl-bin/pgpmail ...
|