How to create a secure online form

I have spent a great deal of time researching and preparing a secure site for a client.

We purchased the domain name, a Virtual Private Server and got an SSL Certificate from Entrust.

I created an online PERL Script to process the contents of the form.

I created a .htaccess file to force any script calls in the cgi-bin to be secure script calls. This is accomplished by forcing all cgi scripts from http to https.

http://yourwebsite.com/cgi-bin/yourscript.cgi to

https://yourwebsite.com/cgi-bin/yourscript.cgi

Sample .htaccess file below:

RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)?$ https://yoururl.com%{REQUEST_URI}

Next we tested the server settings to ensure that the certificate was configured correctly. Take note if you can not run this script either your server does not support PHP or something is not working with the install of your SSL Certificate.

http://yourwebsite.com/ssl_test.phpshould display unsecure

https://yourwebsite.com/ssl_test.phpshould display secure

<?php

//Save this script as:  ssl_test.php

//http://yourwebsite.com/ssl_test.php – should display unsecure

//https://yourwebsite.com/ssl_test.php – should display secure

if (isset($_SERVER[‘HTTPS’]) )
{
echo “SECURE: This page is being accessed through a secure connection.

“;
}
else
{
echo “UNSECURE: This page is being access through an unsecure connection.

“;
}

// Create the keypair
$res=openssl_pkey_new();

// Get private key
openssl_pkey_export($res, $privatekey);

// Get public key
$publickey=openssl_pkey_get_details($res);
$publickey=$publickey[“key”];

echo “Private Key:
$privatekey

Public Key:
$publickey

“;

$cleartext = ‘1234 5678 9012 3456’;

echo “Clear text:
$cleartext

“;

openssl_public_encrypt($cleartext, $crypttext, $publickey);

echo “Crypt text:
$crypttext

“;

openssl_private_decrypt($crypttext, $decrypted, $privatekey);

echo “Decrypted text:
$decrypted

“;
?>

Since the form was created and parsed using PERL I needed to adjust the sendmail feature. If you use the standard sendmail, it is sent as nobody and is interrupted as spam by many mail servers. This requires you to send a authenticated email message, below is the PERL code to do just that:

#!/usr/bin/perl

use Mail::Sendmail;
use Net::SMTP::SSL;

$username = ‘your@email.com’;
$password = ‘yourpassword’;
$server = ‘smtp.sendmailserver.com’;

my %mail = (
From=> ‘your@email.com’,
To=> ‘client@email.com’,
#Cc=> ‘notneeded@email.com’,
# Cc will appear in the header. (Bcc will not)
Subject => ‘Authenticated Sendmail Test’,
‘X-Mailer’ => “Mail::Sendmail version $Mail::Sendmail::VERSION”,
);

$mail{Smtp} = Net::SMTP::SSL->new($server, Port=> 465, Debug=>1) or warn “$!\n”;
$mail{auth} = ($username,$password) or die “Can’t authenticate: $!\n”;
$mail{‘X-custom’} = ‘My custom additional header’;
$mail{Message} = “Authenticated Sendmail Test”;
# cheat on the date:
$mail{Date} = Mail::Sendmail::time_to_date( time() – 86400 );

print “Content-type: text/html\n\n”;
print <<“HTML”;
Authenticated Sendmail Test

HTML

TIP 1:  You may register your certificate as either:

https://yourdomain.com and/or

https://www.yourdomain.com

You may see this error message below if you attempt to access your SSL Certificate by not selecting the correctly registered SSL Certificate.  Below screenshot was taken using the FireFox Browser the message will look similar in different browsers.  Use this message as a warning that you are not accessing the SSL Certificate correctly, do not change any options available to you on this screen.

TIP 2: I was told by our hosting provider that everything was installed and configured properly including the SSL Certificate.  As it turns out that was not the case, I spend days researching to see if my PERL Script needed to be revised to work with the SSL Certificate and the script was just fine all along.

If your script works before the SSL is installed it should work after the SSL is installed.  You may need to do minor tweaks in the form for example:

<form action=https://location of your script>

As well, I have used several online sources to improve the security of the script.  I have implemented 27 tweaks for added security and recommended an additional 8 security standards.

Here are some links to assist you in building a secure online form:

  • CGI – Security

I like to thank Michael Goodyear for his help along with other developers that provided some additional code.

All the best,

Kevin Brake
eLearningShow.com

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s