Are Secure Internet Transactions Really Secure?

06 July 1999 by Stephen Mencik

{Ed. Note: As noted below, the links mentioned in this paper existed at the time it was written in July 1999, but most of them no longer are available}

Modern browsers use a technique called SSL, which stands for Secure Sockets Layer, to encrypt the information that flows between your browser and the web server receiving your order. When the lock or solid key is showing, it means that the browser has established a secure encrypted connection with the server, meaning it is safe to send sensitive data like your credit card. So what could be wrong with this system? What could be wrong, is that SSL only secures the connection between your browser and the web server. It does nothing to protect the information once it is on the server.

For the big companies that can afford to own their own servers and the large capacity communications lines necessary for direct internet connection, this means that as long as you can trust the company, there is no problem. However, many smaller companies cannot afford the luxury of having their own web servers. They use what is known as "third-party hosting." That is where the insecurity comes into play. You now have to trust the web hosting provider, whom you have no knowledge of, and you have to trust that the company has a secure means of getting the information from the server back to themselves. Unfortunately, most do not have such a system.

Most third-party web hosting companies provide a CGI (Common Gateway Interface) program known as "FormMail" for their clients. What this program does, is take the contents of an Internet form, such as the one you put your credit card information on, and sends it back to the company via email. There is no protection for this email, no SSL, no encryption protection at all. These third party hosting companies even suggest that the secure forms be handled that way. An example can be found at http://www.biz2001.com/webhosting/part6.html#11 {Ed. note: This link is no longer active}

What is happening, is that the company you are buying from is putting on its secure face while you to enter your sensitive information. Then it ships that same sensitive information from the web server back to the company via regular email. That is just giving you a false sense of security.

To compound matters some, many small companies have their websites hosted by third-party web hosting companies that do not offer SSL secure servers at all. These include the free sites from Tripod, AOL, Prodigy, and others. So, a market has sprung up for other web-hosting companies to host just the secure forms on their sites. Several companies now provide this service. One of these is First Coast Web Design, found at http://firstdesign.com/secureform.htm. {Ed. note: This link is no longer active} To quote from their web page,

"How do I retrieve the orders placed on my Secure Form?

The form actually gathers the information from your customer and sends it to you via Email.

If it's being Emailed to me, is it really secure?

The chances of someone intercepting your email and getting your customer's information is very slim. The information is safer than giving your information to the clerk at a store and then having that order go through untold number of hands before getting processed. Do you worry that your telephone is tapped when giving your credit card number to someone over the phone?

The purpose of a secure form is to convince users to enter their card details. The only thing users are looking for is the closed padlock (in Netscape 4+ & MSIE, or horizontal blue line in N3). They neither know nor care about anything else."

{Ed. Note: After publication of this paper, the last paragraph was removed from their website}

Note that this company comes right out and says, "The purpose of a secure form is to convince users to enter their card details." This author thinks the purpose of a secure form is for responsible merchants to be able to protect the sensitive information you need to give them to complete a purchase. If you thought it was safe to email your credit card information to the company without benefit of encryption, why wouldn’t you just do that? Do you feel secure knowing that this company (and other similar companies) is intentionally deceiving you into thinking your transaction is secure, when it is not? Yet, they have clients that are paying them to provide this false sense of security. To be fair to First Coast Web Design, they are not the only company marketing this scheme. TriPolar Technologies offers a similar scheme for merchants at http://www.tri-polar.com/html/secure.html. {Ed. Note: The TriPolar Technologies website no longer exists. } There are many others.

With all of these companies providing ways for merchants to give customers a false sense of security, what is a small company to do in order to actually secure the transaction? One way is for the company to use encrypted email such as PGP. There are some version of FormMail available that use PGP encrypted email. While some have used that method, it can be difficult to set up, and the typical small business doesn’t have the computer expertise to do so. There are a few hosting companies that will set up the server part of this connection, but the business must still be able to install PGP on their local machine by themselves.

Another secure way, is to store the information in a database on the web server, but in a place that is not directly accessible from the web. If the hosting company cannot be trusted, or for further security, this database can be encrypted. The merchant can then retrieve the transaction information later, using their own SSL encrypted connection. The problem with this method is that it requires the merchant to develop this secure system on their own. It takes a certain amount of programming skill to write the CGI scripts that are necessary to make this system work.

Two such companies that provide this type of service are JSweb Technology and Secure Hosting. JSweb Technology has a demonstration of this process located at http://jsweb.net/secform.htm . Secure Hosting has a demo of their service located at http://www.securehosting.com/demos.htm. {Ed. Note: Secure Hosting now offers different services.} With both services, the process is the same. The order form is secure, with information from the customer being encrypted between the customer's computer and the server. At the server, the information is stored in a database. The merchant is then notified of the order via email (without any of the sensitive details), and finally, the merchant retrieves the information via another secure session.

So, while there are ways to make the secure transaction actually secure, how is a customer to know whether it is or not? For the time being, there is no foolproof way. Clearly, you want to be sure that the solid key or lock is present, but you also want to be sure that company isn’t providing you with a false sense of security. One way to know this is to look at the company’s privacy policy, assuming it has one, and be sure it states that no customer credit card information will ever knowingly be sent over the Internet without being encrypted. However, there is no perfect method for ensuring that the information remains secure. Therefore, its back to Caveat Emptor, "Let the buyer beware."

 

Biographical Information of the Author (as of the date of this paper):

Mr. Stephen Mencik has worked in the Information Security field since 1981, with 13 of those years with the DoD’s National Security Agency. He has been designing, implementing, and evaluating security systems of all types that entire time. He is a Certified Information Systems Security Professional (CISSP). He also is the owner (with his wife Jean) of Mencik’s Sportscards (http://mencik.com), JSweb Technology (http://jsweb.net), one of the firms referred to in the article, and The Vacation Stop (http://www.thevacationstop.com). Questions regarding this article can be forwarded to Mr. Mencik at steve@mencik.com. Mr. Mencik's current resume is located at http://jsweb.net/smmres.htm