By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
439,993 Members | 1,947 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 439,993 IT Pros & Developers. It's quick & easy.

Send emails securely via ASP

P: n/a
I've been working with ASP for 6+ years now, but in that time I've
never had any solid advice on how to build a secure system. So I
thought I'd ask here first.

Anyway, here's the situation: I have a client who wants to take credit
card information via ASP form (https) and then send the resulting
content (which may be either HTML- or text-formatted) to their email
account, which they access using Outlook (2000, I believe). I want to
build the system to make it as secure as is reasonably possible; at
the same time, they want to make it easy to read / retrieve their
signed/encrypted messages.

I know their are a lot of components out on the market that permit
programmatic encryption of data, but I don't know enough about what I
need to make an informed buying decision. I've heard that encrypting
the email content and then signing the entire message is the proper
thing to do, but how do I actually do that via code? And I definitely
don't understand how the message is handled once it reaches Outlook
(via POP, IMAP or Exchange -- they haven't decided on which yet).

My brain is full of things such as AES, MD5 + SHA-1, SSL, S/MIME and
such -- how do I put all these things together into an effective
solution? Any light ya'll can shed on this would be greatly
appreciated. Thanks in advance............

-=Tek Boy=-
Jul 19 '05 #1
Share this Question
Share on Google+
5 Replies


P: n/a
I don't necessarily have answers to your questions, but FWIW, when we did
the website at my company (a bank), e-mailing sensitive data was something
that we discussed with our security department and the OCC, and we all
agreed that it should simply not be done. All of our form data is retrieved
via an https admin area on the server, and no customer data is ever e-mailed
anywhere. It was all just simply to insecure to consider e-mailing.

Ray at work
"Saiyan Vejita" <ve**********@hotmail.com> wrote in message
news:e7**************************@posting.google.c om...
I've been working with ASP for 6+ years now, but in that time I've
never had any solid advice on how to build a secure system. So I
thought I'd ask here first.

Anyway, here's the situation: I have a client who wants to take credit
card information via ASP form (https) and then send the resulting
content (which may be either HTML- or text-formatted) to their email
account, which they access using Outlook (2000, I believe). I want to
build the system to make it as secure as is reasonably possible; at
the same time, they want to make it easy to read / retrieve their
signed/encrypted messages.

I know their are a lot of components out on the market that permit
programmatic encryption of data, but I don't know enough about what I
need to make an informed buying decision. I've heard that encrypting
the email content and then signing the entire message is the proper
thing to do, but how do I actually do that via code? And I definitely
don't understand how the message is handled once it reaches Outlook
(via POP, IMAP or Exchange -- they haven't decided on which yet).

My brain is full of things such as AES, MD5 + SHA-1, SSL, S/MIME and
such -- how do I put all these things together into an effective
solution? Any light ya'll can shed on this would be greatly
appreciated. Thanks in advance............

-=Tek Boy=-

Jul 19 '05 #2

P: n/a
Believe me, I agree -- the more links in the chain, the more susceptible the
entire system is to being compromised. But I'm not making the business
decisions here, nor will I be held liable for any fallout stemming from
privacy violations. As such, all I can do is offer up informed
recommendations and do whatever they want done after-the-fact. It's this
scenario that I'm operating within.......... not ideal, just the way it has
to be.
-=Tek Boy=-
"Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
news:uz****************@TK2MSFTNGP11.phx.gbl...
I don't necessarily have answers to your questions, but FWIW, when we did
the website at my company (a bank), e-mailing sensitive data was something
that we discussed with our security department and the OCC, and we all
agreed that it should simply not be done. All of our form data is retrieved via an https admin area on the server, and no customer data is ever e-mailed anywhere. It was all just simply to insecure to consider e-mailing.

Ray at work
"Saiyan Vejita" <ve**********@hotmail.com> wrote in message
news:e7**************************@posting.google.c om...
I've been working with ASP for 6+ years now, but in that time I've
never had any solid advice on how to build a secure system. So I
thought I'd ask here first.

Anyway, here's the situation: I have a client who wants to take credit
card information via ASP form (https) and then send the resulting
content (which may be either HTML- or text-formatted) to their email
account, which they access using Outlook (2000, I believe). I want to
build the system to make it as secure as is reasonably possible; at
the same time, they want to make it easy to read / retrieve their
signed/encrypted messages.

I know their are a lot of components out on the market that permit
programmatic encryption of data, but I don't know enough about what I
need to make an informed buying decision. I've heard that encrypting
the email content and then signing the entire message is the proper
thing to do, but how do I actually do that via code? And I definitely
don't understand how the message is handled once it reaches Outlook
(via POP, IMAP or Exchange -- they haven't decided on which yet).

My brain is full of things such as AES, MD5 + SHA-1, SSL, S/MIME and
such -- how do I put all these things together into an effective
solution? Any light ya'll can shed on this would be greatly
appreciated. Thanks in advance............

-=Tek Boy=-


Jul 19 '05 #3

P: n/a
Ray is right, but if you want *something* emailed for notification purposes,
how about a link to a secure login page where the sensitive data can then be
accessed ?
"Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
news:uz****************@TK2MSFTNGP11.phx.gbl...
I don't necessarily have answers to your questions, but FWIW, when we did
the website at my company (a bank), e-mailing sensitive data was something
that we discussed with our security department and the OCC, and we all
agreed that it should simply not be done. All of our form data is retrieved via an https admin area on the server, and no customer data is ever e-mailed anywhere. It was all just simply to insecure to consider e-mailing.

Ray at work
"Saiyan Vejita" <ve**********@hotmail.com> wrote in message
news:e7**************************@posting.google.c om...
I've been working with ASP for 6+ years now, but in that time I've
never had any solid advice on how to build a secure system. So I
thought I'd ask here first.

Anyway, here's the situation: I have a client who wants to take credit
card information via ASP form (https) and then send the resulting
content (which may be either HTML- or text-formatted) to their email
account, which they access using Outlook (2000, I believe). I want to
build the system to make it as secure as is reasonably possible; at
the same time, they want to make it easy to read / retrieve their
signed/encrypted messages.

I know their are a lot of components out on the market that permit
programmatic encryption of data, but I don't know enough about what I
need to make an informed buying decision. I've heard that encrypting
the email content and then signing the entire message is the proper
thing to do, but how do I actually do that via code? And I definitely
don't understand how the message is handled once it reaches Outlook
(via POP, IMAP or Exchange -- they haven't decided on which yet).

My brain is full of things such as AES, MD5 + SHA-1, SSL, S/MIME and
such -- how do I put all these things together into an effective
solution? Any light ya'll can shed on this would be greatly
appreciated. Thanks in advance............

-=Tek Boy=-


Jul 19 '05 #4

P: n/a
On 21 Nov 2003 06:59:16 -0800, ve**********@hotmail.com (Saiyan
Vejita) wrote:
I've been working with ASP for 6+ years now, but in that time I've
never had any solid advice on how to build a secure system. So I
thought I'd ask here first.

Anyway, here's the situation: I have a client who wants to take credit
card information via ASP form (https) and then send the resulting
content (which may be either HTML- or text-formatted) to their email
account, which they access using Outlook (2000, I believe). I want to
build the system to make it as secure as is reasonably possible; at
the same time, they want to make it easy to read / retrieve their
signed/encrypted messages.

I know their are a lot of components out on the market that permit
programmatic encryption of data, but I don't know enough about what I
need to make an informed buying decision. I've heard that encrypting
the email content and then signing the entire message is the proper
thing to do, but how do I actually do that via code? And I definitely
don't understand how the message is handled once it reaches Outlook
(via POP, IMAP or Exchange -- they haven't decided on which yet).

My brain is full of things such as AES, MD5 + SHA-1, SSL, S/MIME and
such -- how do I put all these things together into an effective
solution? Any light ya'll can shed on this would be greatly
appreciated. Thanks in advance............


Best bet (besides being a bit smarter and not doing it at all) might
be to look at PGP encryption components and add-ins. It's likely the
easiest to deal with on the receiving end.

Jeff
Jul 19 '05 #5

P: n/a

"Tek Boy" <ve****************@hotmail.com> wrote in message
news:uv**************@TK2MSFTNGP11.phx.gbl...
Believe me, I agree -- the more links in the chain, the more susceptible the entire system is to being compromised. But I'm not making the business
decisions here, nor will I be held liable for any fallout stemming from
privacy violations.
Call me overly-paranoid, but don't count on that.
As such, all I can do is offer up informed
recommendations and do whatever they want done after-the-fact. It's this
scenario that I'm operating within.......... not ideal, just the way it has to be.


Recommendations that you can be held liable for, even if you didn't make
them - i.e. sending private information via the least secure route possible.
Blue Cross Blue Shield here in KC needed a fall guy for a project one of the
managers caused to fail, and a good friend of mine got the axe.

CYA, tek boy.

- Wm
Jul 19 '05 #6

This discussion thread is closed

Replies have been disabled for this discussion.