I am using SSL on my clients server where the user fills out their info on an order form. The order form is then sent through Matt Wright's formmail program to the accounts dept. My question is - "is SSL enough?" I tried to install PGP on my computer but I can't get it to decode the message no matter what plugin/email client I'm using. Any input is appreciated.

Thanks.


------------------
Jason
Extreme mtb
http://extreme.nas.net

Hi jdulberg.
SSL it's not enough, because formmail it's not a secure way to send confidential information.
Check the PGP version that you have on your server and the PGP version you have in your computer. Usually, if you have 2.8 in the server and 6.0 in your computer, there's some problems. Try download PGP 5.0 from www.pgpi.com

Another way is to store the information in the server on a protected directory and retrive that throught SSL. That way you can download the information to your computer relative secure.


------------------
Rogerio Morais
http://www.rogerle.com

Crap, I just checked and it looks like Vservers only has PGP version 2.6.2 and I have 6.0.2 installed on my computer.

How would I go about doing something like you suggested for the storage in a protected directory? I suppose that I would need a CGI script that would do that. I'd need it to send me/my client an email message when an order is put into that directory.

I'm pretty new to the whole PGP thing and my client isn't that knowledgable with computers so your suggestion may be the best way to go. Please let me know how I would go about doing it.

Thanks!


------------------
Jason
Extreme mtb
http://extreme.nas.net

Hi Jason,

Deja vu!

I have 5.5 on my computer with Outlook 98 and it's working fine, and I'm on Vservers too.

Anyway, I fink you've been at it for a while, so if you want to go for storing the orders on the server, why not use dbMan? Just install dbMan as normal, add a subroutine after add_success to send an email to the user and the administrator and password protect the directory that it's in (which will automatically bypass the login screen).

For extra security, keep the data files below document root. For extra-extra security, add a small subroutine up top to check that the script is being accessed from https. And don't tell anyone about it!

adam

[This message has been edited by dahamsta (edited May 25, 1999).]

How did you get it to run on Vservers if they only have 2.6.2 and you have 5.5?

Alex is installing DBMan SQL on my server so I guess I could just use that. I'd just take out the view, search, modify etc. on the html.pl. As for the script that detects https, that's all greek to me.

Which way would be the best way to go, PGP or the dbman thing? I have to make this thing easy for my client to do so I need to keep that in mind as well.

To me, PGP sounds easier to do but I'd have to upgrade the version of PGP on vservers which I unfortunately don't exactly know how to do.

Thanks again for your help.


------------------
Jason
Extreme mtb
http://extreme.nas.net

Man, I can't thank you enough!

I've been using the normal 'ol dbman for a while now so setting that up should be easy enough. I'd just have to throw in that SSL thing that you were talking about. I'm using the safeserver thing at Vservers as well. I have a database in MS Excel for all of the info so maybe I can just integrate it together somehow. The data from the PGP email would be typed into the database anyways so having it already in dbman saves a bit of work.

I look forward to seeing what you come up with.

Thanks again!

------------------
Jason
Extreme mtb
http://extreme.nas.net

 
In retrospect, I don't think I *did* test it, but I did today and it worked. After a lot of fecking about. (That's fecking, which isn't rude in Ireland. )


SQL no less! Lucky bastard! I was onto Alex about it recently, but I can't afford it at the moment. Weeeell, I can't even afford the shareware version, too much time spent on the boards! Anyway, there's no need to remove the routines from html.pl, you could just set the permissions to allow a default user add, and everything else denied except for administrators.


For extra security when you're accessing the order data it would be better to view your database though your browser in encrypted mode, i.e. use Vservers catch-all secure server and access it through https://yourserver.safeserver.com. You could add a small little subroutine at the top of db.cgi to check you're coming through SSL.


Really up to you. The advantage of PGP is that the orders go direct to the administrators mailbox, which they can then decrypt with the click of a button. The advantage of an online system is that as you build it up you can add in capabilities like letting a user check if their item has been shipped, or relating it to a stock database to check if an item is in stock. Of course you may not have the capability of adding this now (I'm not casting aspersions, maybe you have! ), but you could always add them later. Personally, I would try and marry the two, adding the orders to a database and sending a mail to the administrator with the order aswell. That said, PGP would be nice and simple to get you started.


Well, 1) you don't have to upgrade PGP on your Vserver and 2) Vservers wouldn't do it for you anyway. Nice and all as they are, upgrading PGP on their system would probably be a pretty big job.

Anyway, when all's said and done, none of that is any help to you. So let's see if we can get PGP working for you first? I searched and searched today looking for help on setting up what you want to do and found nothing, so I had a go at it myself today. And I got it to work for me, so what I'll do is write it up for you and hopefully it'll help you get it going. Since it's fairly complicated and there's a script to test it, I'll post it on the net tonight and you can see if that helps any.


That's why I'm here!

adam

Jason,

Ok, there's a page on PGP here -- dotcgi.com/pgp/ , but as I say on the page, don't take my word for it, I'm only an amateur at this stuff (I should make that my sig on these boards!). There's a small script there too, that will let you test to see if everything is working ok.

Over the next few days I'll try and tidy it up as best I can, and I might even integrate it with my natty form-mailer, but as it stands it might help you get started on something anyway.

Cheers,
adam