**----------------------------** SECURE SERVER TIPS Recently I have been getting inquiries as to whether or not the BNBFORM (http://bignosebird.com/carchive/bnbform.shtml) script can be used on a secure server. The answer is "YES"- BUT! The script should be configured to only write the information to a properly protected directory. If you have the form actually send you e-mail, well- that e-mail is unencrypted and sort of defeats the purpose of having encrypted it in the first place. The only change you need to make is to actually install the script in the correct directory and call it like this: ACTION="https://secure.yourdoman.com/cgi-bin/bnbform.cgi" (EXAMPLE ONLY!) The major difference between secure and unsecure pages is the service name. Notice the "s" in "https"? This indicates a call to a secure server instead of an "insecure" one. ;-) Here are the gory details.... The normal webpage requests (HTTP) are delivered on IP Port #80. Huh? Okay. Let's say you have a server such as BIGNOSEBIRD.COM. If you ping BIGNOSEBIRD.COM, you will see something like: 64 bytes from 207.252.75.17: icmp_seq=0 ttl=64 time=1.1 ms The IP number is 207.252.75.17. Of course a server does much more than serve up web pages. It allows FTP file transfers, E-mail, telnet, and other services. Each service runs on what is called a "port". Some common ports are: Service What it does Port Number ------- ------------ ----------- http delivers regular web pages 80 telnet allows remote logins 23 ftp file transfers 21 smtp e-mail handling 25 https secure web pages 443 So as you can see, the big difference between regular and secure web is that regular is on port number 80 and secure is on port 443. Of course there are exceptions, but they are rare. To properly configure BNBFORM (or any script) to run on a secure server, write to your host and ask the following questions: 1.) How do I call my pages (URL), i.e., https://secure.mydomain.com/cgi-bin/script.cgi or https://mydomain.com/cgi-bin/script.cgi or https://mydomain.com/secure-bin/script.cgi 2.) What is the full path to the secure script directory? 3.) What are the proper permission settings for scripts and data files? **----------------------------** HOW SECURE IS SECURE? There is a lot of stuff floating around these days regarding privacy on the Internet. I think that Scott McNealy at Sun recently said something to the effect, "You never had any privacy- get over it." Makes sense in a way. Here's something to think about... How much privacy do you have a traditional brick and morter store? I swear this is true. My wife once sent me to get her "something" at the local super-pharmacy. The cashier had to involve half the store's employees in finding out the correct price. It even involved using the PA system! As a quick follow-up to the information above on secure servers, I ask the question: "How secure is the data on the server?" Most people do not realize that just because they send something over a secure connection that the risks do not end there. SSL (secure sockets layer) only prevents two types of attacks: Ones where a person sets up a server to try and impersonate yours, and ones where somebody tries to "sniff" or intercept and read your traffic. Once the data is written to disk, it is not protected anymore than data sent by regular http. It is important for you to know who can access the directories containing your customer's data such as credit card numbers, or other personal data that might be of a sensitive nature. Ask your hosting company or system administrator about who can access your secure directories. Ask what care is taken with back-up tapes. Get the idea? You should also check with your host about a secure method to get the data off their server. Regular FTP is NOT secure! Ask if they have "ssh" or some other method available. You can also create a secure script in a password protected directory to download the file to your browser, but that shall be a lesson for another day...