This is Interesting: Free Magazines for Graphics designers and webmasters
Home > Archive > Webmaster forum > April 2006 > email from web form to host email server - secure?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
email from web form to host email server - secure?
|
|
| neutrino 2006-04-28, 7:06 pm |
| having just read a posting from someone asking about - when recieving
email from web form to host site email, what was a secure way to
forward the ocasional one onto someone else....
it made me wonder---
when you recieve an email from your website form and it's sent ONLY to
your host site's email, and not forwarded anywhere - is this a secure
way of recieving confidential info' ? how IS web form email handled ?
is it not transmitted across the net to it's destination, but goes
direct from your web to the host email server - no chance of being
intercepted? could this be an easy way of recieving confidential info?
specially if you only access and read it by logging into your host
site, and do not forward it anywhere?
Curious.
| |
| Roy Schestowitz 2006-04-28, 7:06 pm |
| __/ [ neutrino ] on Friday 28 April 2006 18:18 \__
Hi,
> having just read a posting from someone asking about - when recieving
> email from web form to host site email, what was a secure way to
> forward the ocasional one onto someone else....
> it made me wonder---
> when you recieve an email from your website form and it's sent ONLY to
> your host site's email, and not forwarded anywhere - is this a secure
> way of recieving confidential info' ? ...
No. The only secure method is to encrypt your message. Any other form will
propagate through routers, which are in essence open to curious minds and
pairs of eyes. Additionally, you need confidence in your host and ISP.
Choose a foreign or dodgy one and your data will be more susceptible
misused.
> ...how IS web form email handled ? ...
Most of them run on the Web server, which in turn dispatches an E-mail
message. Your data is visible to the sysadmin of that server.
> .. is it not transmitted across the net to it's destination, but goes
> direct from your web to the host email server - no chance of being
> intercepted? could this be an easy way of recieving confidential info? ...
No. It depends how much you are willing to invest in privacy and how much you
have to lose. Encryption is often the only true solution.
> ... specially if you only access and read it by logging into your host
> site, and do not forward it anywhere?
> Curious.
If I understand your correctly, you want form E-mails to originate on the
host's domain and remain there only for yourself and your host to have
access to. I believe you will be on the safe side because messages sent to
one's own domain do not hop onto third parties daemons. They are being
delivered directly to the local box.
Best wishes,
Roy
--
Roy S. Schestowitz | "Software sucks. Open Source sucks less."
http://Schestowitz.com | SuSE Linux ¦ PGP-Key: 0x74572E8E
6:55pm up 1 day 2:00, 13 users, load average: 0.69, 0.87, 0.63
http://iuron.com - next generation of search paradigms
| |
| William Tasso 2006-04-28, 7:06 pm |
| Fleeing from the madness of the schestowitz.com / MCC / Manchester
University jungle
Roy Schestowitz <newsgroups@schestowitz.com> stumbled into
news:alt.www.webmaster
and said:
> ...
> If I understand your correctly, you want form E-mails to originate on the
> host's domain and remain there only for yourself and your host to have
> access to. I believe you will be on the safe side because messages sent
> to
> one's own domain do not hop onto third parties daemons. They are being
> delivered directly to the local box.
One shouldn't rely on that as gospel - in fact this is a very inneficient
configuration. Mail should live on a mail server allowing the web
server(s) to get on with the task of serving web documents. However, it
is unlikely [*]that anyone except the host/isp/admin will be able to
intercept packets running between the two servers.
[*] meaning one shouldn't rely on this either. when it comes to
security/confidentiality ... assume nothing.
--
William Tasso
http://williamtasso.com/words/what-is-usenet.asp
| |
| neutrino 2006-04-29, 6:53 pm |
| Yes that's what I mean -"E-mails to originate on the
> host's domain and remain there only for yourself and your host to have
> access to".
a visitor completes an email form on the web site, and it's delivered
to the host domain email,
and not forwarded - only accessable to be read when the site owner logs
into the host domain
and accesses the email, and whatever info is to be taken from the
emails recieved - could be copy/pasted into
a Word or excel report on their Pc, to store the info', therefore th
ethinking behind this is that the email recieved
would not have been sent across the net, and therefore would be a
secure method of recieving the info,
even if not an "official" way of saying so - but nevertheless should be
a secure way of recieving,
since the security issue comes into play when email is transmitted from
place to place.
| |
|
| "neutrino" <stuartr@bluebottle.com> wrote:
>Yes that's what I mean -"E-mails to originate on the
>a visitor completes an email form on the web site, and it's delivered
>to the host domain email,
>and not forwarded - only accessable to be read when the site owner logs
>into the host domain
>and accesses the email, and whatever info is to be taken from the
>emails recieved - could be copy/pasted into
>a Word or excel report on their Pc, to store the info', therefore th
>ethinking behind this is that the email recieved
>would not have been sent across the net, and therefore would be a
>secure method of recieving the info,
>even if not an "official" way of saying so - but nevertheless should be
>a secure way of recieving,
>since the security issue comes into play when email is transmitted from
>place to place.
If your web-based email form doesn't check for things like newlines,
even though you think you are sending it only to yourself you could
also be acting as a spam relay.
As Roy mentioned, there are times when encryption is the only good
solution.
However, if you want a solution as secure or more secure than
encryption in this particualr case, you might consider changing the
way your email-to-self is handled. Instead of sending it through the
mail system, just write its contents to a file on your server. That
way the admin can look it and nobody else can assuming your file
permissions are sufficiently restrictive.
--
http://www.ren-prod-inc.com/hug_sof...?action=contact
| |
| Jerry Stuckle 2006-04-29, 6:53 pm |
| neutrino wrote:
> Yes that's what I mean -"E-mails to originate on the
>
>
> a visitor completes an email form on the web site, and it's delivered
> to the host domain email,
> and not forwarded - only accessable to be read when the site owner logs
> into the host domain
> and accesses the email, and whatever info is to be taken from the
> emails recieved - could be copy/pasted into
> a Word or excel report on their Pc, to store the info', therefore th
> ethinking behind this is that the email recieved
> would not have been sent across the net, and therefore would be a
> secure method of recieving the info,
> even if not an "official" way of saying so - but nevertheless should be
> a secure way of recieving,
> since the security issue comes into play when email is transmitted from
> place to place.
>
No, the mail is forwarded. It is forwarded from the MTA (Mail Transport
Authority) used by the webserver to the MTA used by the receiver.
These may be on the same machine (in which case the MTA would act as both
sending and receiving MTA's), or they may be on different servers.
Additionally, just the entering of data into the web form is in itself insecure
unless using ssl; the information is flowing from the client machine to your web
host.
Additionally, when you retrieve the email from your server, you are sending the
email over the internet.
There are three ways of ensuring confidential information remains confidential:
1. Encrypt the data before it is sent from their workstation, and decrypt it
after it has been received at your workstation.
2. Have your server in a bank vault where only you have the combination. You
have a password which changes once every minute you use for admin signon - and
you're the only one who has it. Use SSL for all connections to and from the server.
3. Don't send it over the internet. Instead, have the client seal the
information in a plain brown wrapper and physically hand it to you.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Roy Schestowitz 2006-04-29, 6:53 pm |
| __/ [ hug ] on Saturday 29 April 2006 13:27 \__
> "neutrino" <stuartr@bluebottle.com> wrote:
>
>
> If your web-based email form doesn't check for things like newlines,
> even though you think you are sending it only to yourself you could
> also be acting as a spam relay.
>
> As Roy mentioned, there are times when encryption is the only good
> solution.
>
> However, if you want a solution as secure or more secure than
> encryption in this particualr case, you might consider changing the
> way your email-to-self is handled. Instead of sending it through the
> mail system, just write its contents to a file on your server. That
> way the admin can look it and nobody else can assuming your file
> permissions are sufficiently restrictive.
I imagine that the OP is BCC'ing the messages to self. I may be wrong or
presumptuous because I BCC all messages to myself, which makes me inclined
to think along these lines.
Writing to file is both laborious and an unorganised way of handling
information. Encryption to self would work wonders. I recommend PGP, which
is free and robust. The best practice is to never include sensitive
information in E-mail. E-mail is unpredictable and not secure. It's like FTP
or HTTP. Because some clueless sites post passwords in plain text, I made
the habit of choosing separate, simpler passwords for third-parties,
so-called 'Mickey Mouse' services. Never remain too uniform security-wise,
e.g. sticking with similar passwords for your Web site and Digg. Script
kiddies can sniff packets.
Best wishes,
Roy
--
Roy S. Schestowitz | Software patents destroy innovation
http://Schestowitz.com | SuSE Linux ¦ PGP-Key: 0x74572E8E
5:05pm up 2 days 0:10, 13 users, load average: 0.25, 0.70, 0.71
http://iuron.com - Open Source knowledge engine project
| |
| Baho Utot 2006-04-29, 10:56 pm |
| Jerry Stuckle wrote:
[putolin]
> No, the mail is forwarded. It is forwarded from the MTA (Mail Transport
> Authority) used by the webserver to the MTA used by the receiver
That would be Mail Transport Agent (MTA) which is essential for sending
email. Senmail is an example of a Mail Transport Agent.
Have you been snorting too much MS lately?
--
Dancin' in the ruins tonight
mail: echo onub-hgbg@pbyhzohf.ee.pbz | PERL -pe 'y/a-z/n-za-m/'
Tayo'y Mga Pinoy
| |
| Jerry Stuckle 2006-04-29, 10:56 pm |
| Baho Utot wrote:
> Jerry Stuckle wrote:
>
> [putolin]
>
>
>
>
> That would be Mail Transport Agent (MTA) which is essential for sending
> email. Senmail is an example of a Mail Transport Agent.
>
> Have you been snorting too much MS lately?
>
You're right - it is Agent, not Authority.
No, not too much MS. Too much Apache authorization lately (working on updating
mod_auth_mysql).
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Blinky the Shark 2006-04-29, 10:56 pm |
| Jerry Stuckle wrote:
> Baho Utot wrote:
> You're right - it is Agent, not Authority.
>
> No, not too much MS. Too much Apache authorization lately (working on
> updating mod_auth_mysql).
MTA is also Metropolitan Transit Authority in various places. :)
And an old Kingston Trio song some of you USans may remember...
http://www.lyricsdepot.com/the-kingston-trio/mta.html
--
Blinky RLU 297263
Killing all posts from Google Groups
The Usenet Improvement Project: http://blinkynet.net/comp/uip5.html
Coming Soon: Filtering rules specific to various real news clients
|
|
|
| | Copyright 2003 - 2008 forum4designers.com Software forum Computer Hardware reviews |
|