secure forms…
Permalink 1 user found helpful
hi there, just wondering apart from ssl-ing the form data (i.e. redirecting to https) are there alternatives to this?
client is a doctor's office and the concern is that the c5 form data might not be secure "enough".
my thoughts are that if visitor enters data on the c5 server and clicks submit but c5 db saves the data on the server and does not email the data to the addressed recipient, would that constitute "enough" of security?
granted it's a small town doctor's office and i don't necessarily think that a $200+ annual SSL cert fee can be justified?
security experts… what do you think?
client is a doctor's office and the concern is that the c5 form data might not be secure "enough".
my thoughts are that if visitor enters data on the c5 server and clicks submit but c5 db saves the data on the server and does not email the data to the addressed recipient, would that constitute "enough" of security?
granted it's a small town doctor's office and i don't necessarily think that a $200+ annual SSL cert fee can be justified?
security experts… what do you think?
also why I will leave shopping carts and payment data to entities that are PCI-compliant.
The fine is something like $500k for handling billing data incorrectly.
The fine is something like $500k for handling billing data incorrectly.
though part of the referral and appointment data might have diagnosis/possible diagnosis in it.
just fyi...you can get an SSL cert for a year for like $15 from places like rapidsslonline.com. It's just as secure as certs from places like verisign...it just doesn't have the big name attached. I have a cert from there and I just pay $2 a month for a dedicated IP from my hosting provider.
hi jgarcia, thanks for your reply. just curious why do big name companies like verisign, thawte, geotrust etc cost so much more vs unknowns like the one you mentioned?
I would guess that part of it is their verification process. I just bought an SSL cert from Verisign for a client. They contacted my company by phone, required our company name appear in the WHOIS and wanted to speak with my boss after hours to verify information. They can even go as far as requiring copies of your company's incorporation papers, etc. We didn't control the domain at the time. It took weeks for us to order the SSL, transfer the domain, have Verisign go over everything and finally email a cert to us. They don't mess around!
He don't have to keep it off email :)
He can actually secure it pretty easily using email. Construct the email, but instead of inserting the content into body, insert it into a attachment. But not in plaintext. Generate keypair and use it to encode the data using public key. Then give the client the private key to decipher the content. That's pretty secure way of transporting sensitive information. All is enitrely dependent of security of the private key. And that would be up to your client ;)
He can actually secure it pretty easily using email. Construct the email, but instead of inserting the content into body, insert it into a attachment. But not in plaintext. Generate keypair and use it to encode the data using public key. Then give the client the private key to decipher the content. That's pretty secure way of transporting sensitive information. All is enitrely dependent of security of the private key. And that would be up to your client ;)
1) yes. keep it out of email, for the love of god.
2) check out "hipaa" there are standards and rules for medical information
3) it depends on what the information is. if it includes medical details and not just a name and schedule time, then yes. be careful with this data. a SSL is probably a starting point.
4) there are vendors who offer SSL's for >$100/yr