Gastown Security All content © 1996 Gastown Webspace Updated:

Web form to PGP e-mail Gateway

Frequently Asked Questions

1. How does the Web To PGP service work?

   Your customers can use an SSL-supporting browser such as Netscape to submit form data (such as credit card numbers or confidential requests) which is then encrypted using ViaCrypt PGP 2.7 and e-mailed to you.

2. What are some security vulnerabilities with this service?

   The parties which you need to trust are:

   • SSL browser programmers: Flaws in Netscape Navigator or other browsers offering SSL connections may allow data packets travelling the Internet to be decrypted too easily.
   • Privileged XMission persons: Those with root access or physical access to the web and mail servers at XMission could intercept and copy the mail messages while they are in clear text on the local network.
   • Gastown password holders: The Mayor and his desginated officials could copy the mail messages while they are in clear text before they are encrypted.
   • Privileged users of your personal computer: Those with sufficient access to your personal computer may be able to read your e-mail messages. Various local security vulnerabilities are described in the PGP documentation.

3. What version of PGP should I use?

   If you in the U.S. or Canada, you are expected to purchase a license for Viacrypt PGP if you are using PGP for non-personal purposes. In other countries, use an international version of PGP, but expected to pay a license fee for the use of the IDEA technology in PGP if you are using it for commercial (money-making) purposes. This is not a legal opinion, it is only the information that The Mayor has been made aware of from various sources.

How to establish your Web To PGP gateway

1. Install PGP on your computer and generate your public key.

   For general information about PGP and its implementations, visit the PGP site in Norway.

2. E-mail your PGP public key to The Mayor

   The public key you send will be used to encrypt messages which will be e-mailed to the person who pays the fees for the service. An alternate e-mail address cannot be used, and your public key will not be certified by Gastown Webspace. Messages will not be signed by Gastown Webspace, and you should not rely on the date/time stamp of the e-mail.

3. Create your web form and e-mail message template.

   The easiest way to get started is to view source on The Mayor's secure feedback form and message template files. Remember that the message template file must contain UNIX carriage returns (not DOS or MAC linefeeds) and you need to add a header line which is used to identify your public key, such as:

   X-Secure: accountname
   
   

4. Test your form before linking to it from your pages.

   Please do not link your page until you have tested it yourself using a web browser which supports SSL connections. When you create your link, use an absolute reference to your URL which specifies the https:// (SSL) connection protocol. If you use a relative link to the page, people will be typing their data into a form which does not appear secure (i.e. no blue line, key icon broken) even though the SSL connection will be used when they hit the submit button. Also be sure that you are familiar with the process of decrypting the PGP messages which you receive.

5. Mail your payment to Gastown Webspace.

   Current tenants of Gastown can use this service at no extra charge during their current term of service if they mail their 6-month web space renewal fee plus $20 for 6 months of Web To PGP service. For information about Gastown tenant services and prices, see how to move into Gastown.

DISCLAIMER

Cypherpunks beware

Back to Gastown

Gastown Webspace is not an editor or a publisher, and therefore claims no responsibility for the content of materials stored in this directory heirarchy.