Sending secure emails

[jedel]

Hi all,

a quick question. I have a form that people fill in some personal details and submit. The page is shown from an SSL.

When they hit the submit button the form accesses a PHP page that is also sourced through an SSL and sends and email to an administrator.

My question is twofold.
1) is the email encrypted seeing as it came from a page accessed vide an SSL connection?
2) if not is there a way of sending sensitive data through email securely?

-------------------------------------------------------------
"The most overlooked advantage of owning a computer is that if they foul up there's no law against whacking them around a bit."

 

[jpadie]

a secure socket layer is administered by the https protocol: i.e. by the webserver, not php. php does not get involved in the certificate exchange at all.

similarly function calls such as mail() do not get involved in security themselves. they rely on the operating system to supply that level of overlay.

the smtp protocol is not in itself secure.

it may be possible to use TLS to connect to an SMTP relay server, however only improves the security of the first hop. the subsequent link from smtp to smtp server will not be secure. similarly there is no guarantee for you, as a sender, that the link between the receiver's client and his/her imap/pop/exchange server will be secure. therefore as a sender you cannot rely on the email being secure at the transport level.

however it is possible, and the usual way of doing things, (but outside the scope of this forum) to secure the body of an email using public key encryption. My understanding is that the subject of the mail is not encrypted however: and often the subject of the mail gives away the contents to any savvy reader.

there may be a possibility of creating a custom class in php to handle the encryption and appropriate custom mail headers. post back in a new thread once you have read up on PKE and have determined that this is the way that you want to proceed.

a last way to skin the cat is not to send emails that contain sensitive information. instead keep the data on your web server (secured) in a manner that can be read by the administrator. then send the administrator a link in an email that he/she can click on, in order to access the data. then secure the page using some kind of password challenge (or client certificates) and SSL.

 

[POPDUM]

Hi,

I have to send email containing German characters (e.g. umlauts). I already had a script which worked with English characters, but it would mess up the German ones.

So, I decided to use encoding in the header, and encoded it to UTF-8 as text/html (using text/plain does not work). Now, the German characters appear OK, but the newlines get lost. I tried using \n and \r\n as newline characters, but it does not work.

Here is the code fragment which I am using:

$name = $_POST['sendername'];
$telefon = $_POST['telefon'];
$message = $_POST['message'];
$email = $_POST['email'];
$typedcode = $_POST['typedcode'];
$body = "* Name:\n$name\n\n".
"* Email:\n$email\n\n".
"* Telefon:\n$telefon\n\n".
"* Anfrage:\n$message";

$result = 'ok';
mail("myname@gmx.net", "Kontaktformular", $body, "From: $email\n" .
"MIME-Version: 1.0\n" . "Content-type: text/html; charset=utf-8\n" );

As I said above, I tried using \r\n too, but it does not work.

Any answers or suggestions are most welcome.