By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,949 Members | 1,824 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,949 IT Pros & Developers. It's quick & easy.

security question

P: n/a
Hi all,

I've been reading as much as I can on this matter but I still am not
totally clear on what I need to do, so here goes... sorry if the
question isn't totally PHP related, but my entire project is coded in
PHP so I figured this would be as good a place as any to ask.

If I have two PHP scripts, both protected by SSL, and the second script
sends an email containing sensitive data using mail() with info provided
in the first script, is this enough for security or do I also need to
implement something like PGP mail? Basically, is the email secure when
sent out because it is sent over a secure SSL connection, or is this not
the case? Thanks in advance for any feedback.

Marcus

Jul 16 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
>I've been reading as much as I can on this matter but I still am not
totally clear on what I need to do, so here goes... sorry if the
question isn't totally PHP related, but my entire project is coded in
PHP so I figured this would be as good a place as any to ask.

If I have two PHP scripts, both protected by SSL, and the second script
Scripts are not protected by SSL. Communication between a web
browser and the server may be protected by SSL. SSL is a way to
communicate your credit card number to the scam artist operating
the web site without anyone ELSE being able to see it until the
scam artist sells it to the world. It does not in any way protect
your credit card number from being stuck by a stupid web designer
into a file where anyone in the world can fetch it with the web
browser. (See also: EGGHEAD, although I don't know the exact details
of their security breach that released thousands of credit card
numbers.)
sends an email containing sensitive data using mail() with info provided
in the first script, is this enough for security or do I also need to
implement something like PGP mail?
SSL used by a web server does not in any way protect email sent
by a CGI or PHP page. For that matter, it doesn't protect SQL
queries to a database either unless the database connection is
encrypted.

Where is the email going? If the email is going out over the
Internet, it's vulnerable to snooping in transit. If the email is
going to a mailbox on the same host as the webserver, it may never
show up on a sniffable net cable, so only the admins of the box
could see it. If the email is going someplace else on a LAN, it
may be very difficult for anyone not an employee of your company
or the hosting company to sniff it. This says nothing about what
happens after the email goes into the mailbox. That could be hacked,
or it could be downloaded into a Windows machine with a virus/worm
that sends it all over the Internet.
Basically, is the email secure when
sent out because it is sent over a secure SSL connection,
NO! Sending *MAIL* over SSL is independent of the web browser using
SSL. Even if mail is sent encrypted over one hop, don't assume it
will be sent encrypted over all hops. Many (I suspect: nearly all)
mail servers simply don't do encryption of mail messages sending
server-to-server. If you want it encrypted, send it encrypted (e.g.
use PGP).

Oh, yes, just because you use SSL for the web server and PGP for
the email doesn't mean there aren't lots of credit card numbers in
the web server logs.
or is this not
the case? Thanks in advance for any feedback.


Gordon L. Burditt
Jul 16 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.