[_] Website form sending a secure email via third party?
oliver at watershed.co.uk
Tue Jul 13 11:18:43 BST 2010
On 13 Jul 2010, at 10:13, John Norsworthy wrote: > Any ideas or recommendations on sending secure data (credit card > details) via a third party? The function to pgp encrypt form data > from our site is failing us right now and we need to take (send a > secure email to the client) bookings for an event. Obviously the message has to be encrypted before it leaves your server, so you'll have to do *some* PHP work. Only GPG (or some such PKI tool) is going to provide the most complete security that comes from the server itself not having any key with which to decrypt the message. With any other non-PKI form of encryption, the server will have to store a plaintext key/password somewhere, so if someone manages to get into the server they might be able to get that key and decrypt your messages. So if you can get GPG working, even by just encrypting the message body using shell commands like at http://devzone.zend.com/article/ 1265 , that'd be best. If you can't use GPG on the command line, and your PHP has mcrypt installed, just use functions like http://www.php.net/manual/en/mcrypt.examples.php to encrypt your message before sending it. This would require some kind of decoder at the client end, though. If none of the above are possible, another solution is to use the Gmail API (which works over SSL) to upload a message directly into an Inbox. You'll be storing the username/password to access the Inbox in your script, but since the API is SSL, and the gmail web interface is SSL, the data will remain encrypted when travelling over the internet. It still feels a bit wrong, though, and I'd say this is the least secure solution since your gmail account could be hacked. Oliver.