NOP Design

[ihatemash]

I am using the email function to email orders for processing. If my checkout page is under a secure site, will the email sent also be secure? The email will be housed on my server (i.e. I host the email address where orders will be sent). However, I don’t see how the demographic and payment information will be secure if being sent via email.

Regards,
Scott

[scott]

Not necessarily, no. If you are sending to a remote email server, and/or retrieving your email via an unencrypted channel, you are taking a risk. If you are using a local mail transport, and receive your mail via a secure channel only, then email is just as secure as other methods.

_Scott

[jonah]

Scott,

What would be the best way to remedy this unsecure email problem?

Thanks

Dexter

[scott]

Two things... either use a CSV file on the server, and only retrieve that file via SSL (ie. https). Or, use secure email via SSL.

_Scott

[designiifurniture]

Sorry for the possibly ignorant question, but how does one retrieve a csv file via https? Do you just type in https://..URL../cgi-bin/cvsfile.csv ? Is ftp secure?

[jonah]

I personally like the convenience of the orders coming to me rather than me going to retrieve them, so I guess my best option is what Scott mentioned - sending secure email via SSL. Can anyone tell me how I set this up? Is this something my server folks will have to setup? And will it apply to only mail between this program and me or to all mail from that server to me. Sorry for the seemingly dumb question - but I haven't dealt with secure mail before.

Thanks

[scott]

To retrieve a csv file via https, if it's in your web tree you just type the URL. Make sure the directory is password protected via a .htaccess file (most web servers) or via NT permissions (IIS/etc).

Now, if you have the orders coming to you via CSV, you can still get the email without the credit card number. That way you get the notification and still get the credit card. Just set the mode to BOTH in the checkout.pl file, and add fields for your credit card to the CSV file write (line 487 of checkout.pl or so).

To setup secure email, check with your provider. AT&T only does it that way, and several webmail providers work that way. In your mail program you may have an option like 'Receive mail using SSL' or 'Use POP3S for secure mail download' or 'use TLS for secure mail download'. Any one of those will work. Many ISPs are supporting this now.

_Scott

[jonah]

Scott. Thanks for the info. You bring up a very interesting point (and question, I guess). I happen to use AT&T Worldnet as my ISP provider, so I can check into "Receive mail using SSL' scenario you mentioned. However, in addition to my AT&T mail (which resides on their server until I call it) I also retrieve POP3 mail from different servers where I'm hosting client sites. Now, if I want that POP3 mail to be secure as well, does the AT&T SSL encryption take care of that since I'm using them to access and egress the internet, or would there need to be even further encryption setup that would protect the data 'between the other servers and the AT&T server' prior to the AT&T server eventually handing the mail off to me on my PC?

Hmmmmm . . . . any thoughts on this?

I'll head over to the AT&T site rigt now and check on the first part.

Thanks so much!

[scott]

Each server that you receive email from would need configured to receive via SSL to have them secure. However, if you have 3 servers, and only 2 of them are secure -- the third server, although not secure itself, does not expose your other servers.

_Scott

[jonah]

Thanks Scott - that's exactly what I was hoping to hear. I was successful at getting Outlook 2000 to be secure as far as my AT&T mail goes, and I'm waiting on a callback from the folks that support my other domain servers to see what their settings are.

Setting up Outlook 2000 was relatively simple (there are always a few bumps in the road aren't there ), but if anyone needs it, I have a document that explains how to set it up for AT&T mail. In fact, I believe the URL for it is http://www.wurd.com/eng/setup/emailclients/oe5_ia.htm. The ame document works for OUtlook and Outlook Express and the first 5 pages are about setting up an account. Skip through all that. Be sure and notice the 'i' that goes at the beginning of the server names

If that doesn't work for some reason contact me through my main website which is http://www.jonahproductions.com

Thanks again!

[jonah]

Well, the reply I got from my web host regarding ssl security was not the best. They said:

" I believe what you want to use is SSMTP and SPOP3. Unfortunately, these are not supported in the current mail server. We are looking for these in the near future though. You can use ssl from within the webmail client to access your mail there via an encrypted channel but not via outlook"

Guess there's not a convenient way just yet. But I could go the longer route like they suggested for now.

Later