Bontrager Copyright 2004 Bontrager Connection, LLC
When you are viewing a page with an https://... URL and the lock
on your browser is closed, it means you have a secure connection
to a server. The server on a secure connection is often thought
of as a "secure server," but that isn't necessarily
Let me explain.
First, let me mention that I do not consider myself to be a
security expert. That would be a full time job all by itself. My
main job is computer programming. However, I am aware of
security issues and try to make only secure programs.
Some things are just common sense.
Secure connections are made with SSL, which is a form of
encryption to provide secure transmission of data on the
Internet. Data flow between your browser and the server is
encrypted with a secret code.
Notice that it's the transmission of data that is secure.
If the server stores the information received via a secure
transmission, the information might or might not be secure.
SSL provides secure transmission. That's all it does.
for more SSL definitions.
What happens with the information once it arrives at the server
via a secure transmission depends on the parties responsible for
Individuals and Organizations should treat sensitive information
in a manner consistent with good security practices.
Unfortunately, that's not always the case.
When I hear of instances where SSL is used to collect credit
card information from customers, only to then have the
unencrypted credit card information emailed, I shudder. Anyone
who knowingly and willingly subjects sensitive customer
information to insecure environments can not be trusted.
Storing Information On the Server
Information that needs to be secure should be stored on the
server only until the first opportunity to retrieve and remove
it. The less time data is on the server, the less opportunity
Information should be stored in a place on the server where
browsers can't go, in a private area.
That is not possible with all hosting accounts. Business hosting
accounts generally have a cgi-bin, however, and that can be a
good place to "hide" information.
To hide information in the cgi-bin, simply name the files that
contain the information with a ".cgi" file name
extension (or ".pl" if your server requires Perl
scripts to have the .pl extension).
When anyone tries to access information with a browser, and the
file has a .cgi (or .pl) extension, the server will try to run
the file as if it was a Perl script. The browser will then get
only an error message, not the data in the file.
To get at the file with FTP, telnet, or SSH (somewhat like a
secure telnet), the cracker would need to know or guess the
username and password to your server. Depending on your
situation, in may be prudent to encrypt information that needs
to be secure and remain on the server.
Retrieving Information From the Server
Unless you have physical access to the computer that serves your
site to Internet browsers, there are few methods to securely
retrieve data from your server:
- If you have shell
access to your hosting account, SSH is secure. Simply log
in, retrieve the file or open it and copy the contents, then
delete the file if appropriate.
- Have a script send
the information to you with encrypted email.
- Use your browser
to access a CGI program to retrieve and view the information
on the secure server. Master Secure File Viewer from http://willmaster.com/a/24h/pl.pl?msfv
is ideal for this. It can even be used to delete the files
after you've retrieved the information.
Don't use unencrypted
email or FTP with an insecure connection to retrieve sensitive
information. And please don't store information in files where
the contents can be viewed with an Internet browser.
If you're going to
provide a secure connection to your server, follow through and
keep the information secure. Your customers expect that you
It's not a lot of trouble, mostly common sense.
Copyright 2004 Bontrager Connection, LLC
About the Author: