I have a form where users enter their Social Security number and Date
of Birth. I was wondering if I need to request a certificate for SSL
on our Windows Web server so we can protect the information when it is
sent from the client to the server on the network? Is this something
where SSL is the best solution for protecting the transmission?

On Fri, 17 Aug 2007 02:33:06 +0200, teser3@hotmail.com
<teser3@hotmail.comwrote:

Quote:

I have a form where users enter their Social Security number and Date
of Birth. I was wondering if I need to request a certificate for SSL
on our Windows Web server so we can protect the information when it is
sent from the client to the server on the network? Is this something
where SSL is the best solution for protecting the transmission?

SSL is clearly a must have here. Self-signed is possible, doesn't create
much trust though, so by all means buy one.

--
Rik Wasmus

teser3@hotmail.com wrote:

Quote:

I have a form where users enter their Social Security number and Date
of Birth. I was wondering if I need to request a certificate for SSL
on our Windows Web server so we can protect the information when it is
sent from the client to the server on the network? Is this something
where SSL is the best solution for protecting the transmission?
>

Yes.

teser3@hotmail.com wrote:

Quote:

I have a form where users enter their Social Security number and Date
of Birth. I was wondering if I need to request a certificate for SSL
on our Windows Web server so we can protect the information when it is
sent from the client to the server on the network? Is this something
where SSL is the best solution for protecting the transmission?
>

Asking for SSN and not knowing about SSL.. very scary. It'd be
good to get up to speed on security long before you go
asking for personal information like that.

Unless it's tax, investment, or possibly health care related,
you shouldn't have any need for someone's SSN. In those
cases, your company should have a plethora of security related
people that can help you make things as secure as possible,
if they don't then don't ask for the SSN.

Don't think that simply by adding SSL, you're secure, and
anyone providing that information to anyone else really
should question the need for them asking for it in the
first place.

don't then don't ask for the SSN.

Quote:

>
Don't think that simply by adding SSL, you're secure, and
anyone providing that information to anyone else really
should question the need for them asking for it in the
first place.

Thanks for the info. What is more secure than using SSL?

teser3@hotmail.com wrote:

Quote:

Thanks for the info. What is more secure than using SSL?

You are asking the wrong question.

Suppose I had a large sum of money I wanted to deliver to you. Suppose
for security reasons I put it in a lock box with a combination that only
you and I knew. Suppose after I handed you the lock box, you took the
box home and opened the box to count the money. What is keeping the
money secure while you are counting it? Where are you going to keep it?
If you keep it locked up, where will you keep the key?

What is keeping your users private data secure once it has arrived at
the server?

A few years ago I was bidding on an update to an ecommerce web site. I
found out that the original developer used SSL to protect credit card
numbers, then stored them unencrypted in an Access database with no
password in an easily guessable directory and easily guessable file
name. Anyone who guessed the file name could type the URL into their
browser and download all of the credit card numbers.

There is more involved with security than SSL.

teser3@hotmail.com wrote:

Quote:

don't then don't ask for the SSN.

Quote:

>
Thanks for the info. What is more secure than using SSL?
>

It wouldn't matter, because SSL is the secure communication protocol
that's built into browsers. Others aren't.

On 17 Aug, 01:33, "tes...@hotmail.com" <tes...@hotmail.comwrote:

Quote:

I have a form where users enter their Social Security number

Just stop doing that altogether. For many very well-discussed reasons,
you should just not ever hold, store, fold, spinlde or mutilate that
particular bit of information. Search for the arguments against doing
it before you even begin to ask how to do it.

If you should (and these reasons are very narrow), then you should
already be competent to do so, and your question indicates that you're
not.