[thelist] Sensitve information on the web

L. M. Arun 437341 at gmail.com
Thu Nov 4 00:37:01 CDT 2010 

>>My recommendation is to have the form (usually in a Word .doc format)
>>converted to PDF, then they can print it off and fill it out.  The other
>>option is to create a fillable PDF form, where they can type their answers
>>in and print it out.  However, if you let them save it, then they can send
>>it via email.  I also said they could get an SSL certificate, have the
form
>>put on the web and written to a database, then they can log in and get the
>>information and run a report and print out the information.  But then
you're
>>running into things like making sure their client has a web login so they
>>can go and update the information.

Fillable PDF/Word forms should be obsolete.

The sensible thing to do is to have a web form capture the data (of course
with https:// if it contains info like SSN) This also brings with it
a) administrative overhead of having to create and communicate login info
to each of the clients.
b) security responsbilities to make sure the collected data is protected
with
reasonable diligence.

>>OTOH, while keeping it online in a DB is also a potential exposure,

Instead of actually storing the SSN in plain-text in the database, store a
Md5 hash.

"Keeping around large databases of student names, birthdays, and SSNs merely
opens these students up to the threat of identity fraud at some point in the
future. It would be far better for the college databases to store the MD5
hash of the SSN, rather than the SSN itself."
http://www.oreillynet.com/pub/a/network/2002/08/02/simson.html

Storing SSN and date of birth in un-hashed form is a bad idea:
"Unfortunately, the security on the Yale Web site was atrocious: all anybody
needed to look up a student's record was that student's name, social
security number (SSN), and date of birth. And it just so happened that the
officials at Princeton had this same information for the most
highly-contested applicants. So in April, when the Web site went live,
Princeton's admissions office sprang to action as well, allegedly
downloading admissions decisions from the Yale Web site on at least 18
separate occasions. The most highly sought-after applicant? President Bush's
niece Lauren Bush"


Mohan Arun L.

More information about the thelist mailing list