如何提供 Web 表单并安全地通过电子邮件发送响应?
我正在尝试学习如何保护网络表单。 举个简单的例子,一个联系方式,姓名,电话,邮箱。 我发现了这个:
但我不知道这是否是正确的方法走。 它不是共享主机,如果重要的话,我可以完全访问所有内容。 我目前使用的是 IIS 6 和 Windows 2000,所以我可能需要使用 asp.net 2.0,但如果需要可以使用其他语言(可以在 IIS 中运行)。
我希望能够填写表格并让它通过电子邮件发送/将表单发送到适当的下一步(我不知道那是什么。)
另外,我是否使用端口 443 作为表单的端口?
编辑:我很清楚。 对不起。 我需要整个过程的安全。 这不仅仅是安全地获取初始表单。 输入表单后,我需要安全地获取表单中的数据。
编辑:我还不够清楚。 一旦我从用户那里获得了我将通过 443 和 SSL 获得的数据,我希望这些数据通过电子邮件通过 Internet 发送给我。 是否可以安全地做到这一点? 或者,最好是拥有我的 SSL,通过它获取数据,然后让查看该信息的用户(秘书,等等)使用相同的 SSL 套接字,仅使用查看应用程序?
任何帮助表示赞赏。 谢谢你。
I am trying to learn how to secure a web form. Take a simple example, a contact form, name, phone, email. I found this:
But I don't know if it is the correct way to go. It is not shared hosting, if it matters, and I have full access to everything. I am tied to IIS 6 and Windows 2000 at the moment, so I will probably need to use asp.net 2.0, but can use other languages if necessary (that can run in IIS.)
I want to be able to fill out the form and have it email/send the form to the appropriate next step (I don't know that is.)
Also, do I use port 443 for the port of the form?
EDIT: Just so I am clear. Sorry. I need the entire process secure. It's not just getting the initial form securely. I need the data from the form securely once it's entered.
EDIT: I haven't been clear enough. Once I have my data from the user which I will have gotten via 443 and SSL, I want that data sent to me over the Internet with an email. Is it possible to do that securely? Or, is it just best to have my SSL, get the data over that, and then have the user that views that information (secretary, whatever), use that same SSL socket, just with a view app?
Any help is appreciated. Thank you.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
评论(5)
您的站点需要 SSL 证书。 至于确保您的数据安全,请确保您的表单操作是 https://
You need a SSL certificate for your site. As far as ensuring that your data is secure, make sure your form action is https://
保护表单始终是一项危险的工作,但您需要做的第一件事就是添加一个 CAPTCHA 组件,这样漏洞扫描器或机器人就无法使用该表单来尝试在您的代码中查找任何可能的漏洞或在你的服务器中。 这样,您就不会在收件人邮件文件夹中收到来自您的表格的数千封电子邮件。
还要尝试在对输入数据进行任何操作之前对其进行清理,这将防止 SQL 注入、XSS 和其他。 某些语言(如 ASP.NET)仅通过默认配置来完成此任务,但如果您必须对其进行编码,那么这并不是一件难事。 从这两个开始还有更多的技术,95% 的工作将完成。
如果您需要任何其他建议,请告诉我。
Securing the form is always a hazard job but one of the first things you need to do is to add a CAPTCHA component, in this way the form could not be used by vulnerability scanners or bots to try to find any possible vulnerability in your code or in your server. In this way you aren't going to have thousands of e-mails from your form in a receiver mail folder.
Also try to sanitize your input data before to do anything with it, this will prevent SQL injection, XSS and others. Some languages like ASP.NET do this task just by default configuration, but if you have to code it it's not such difficult task. There are more techniques bur start with these two and the 95% of the job will be done.
If you need any other suggestion let me know.
SSL 证书适合您。 您不一定需要购买一个,因为它们可以是“自签名”的,尽管您的使用会看到其中一个窗口弹出,告诉他们证书无效。 但即使证书无效,它仍会提供与签名证书相同的加密。
如果您使用 https 协议,则客户端 Web 浏览器将自动尝试连接到端口 443 上的 Web 服务器。
An SSL certificate would work for you. You don't necessarily need to buy one because they can be "self-signed" although your uses will see one of those windows pop up telling them that the certificate isn't valid. But even though the certificate isn't valid it will still provide the same encryption that a signed certificate provides.
If you use the https protocol then the clients web browser will automatically try to connect to the web server at port 443.
如果您已经为该页面设置了 SSL,那么这就是完成工作的大部分真正的 PITA 部分。 用户可以连接到端口 443,他们输入的所有数据都是安全的。
然而,大多数人没有回答的是通过电子邮件传输的数据,其中大部分的传输不能保证安全 - [我不知道这个参考文献有多可信,但值得一读从未如此:http://ask-leo.com/just_how_secure_is_email_anyway.html]所以你必须自己使用某种形式的加密来加密数据。 也许是公钥/私钥加密——也许是 RSA 或类似的。 使用公钥加密数据,将其附加到电子邮件中并邮寄出去。 电子邮件接收者然后使用私钥解密数据。
如果您正在使用表单的 mailto 功能,那么是时候亲自动手了,因为您可能需要进行一些编码。 据我所知[如果我错了,请有人纠正我],IIS 没有任何加密通过电子邮件发送的数据的能力——主要是因为接收电子邮件的程序可能无法解密数据,这意味着您需要指定加密算法、任何密钥、附件方法等
。 有许多库可以用来处理此问题。 您没有提到您是否在自己编程,也没有暗示编程语言,但由于您似乎在使用 Microsoft 技术,我会向您指出 Microsoft 的网站作为参考:
http://msdn.microsoft.com/en-us/library/5e9ft273.aspx
希望这会为您指明正确的方向。 我的想法是您需要让网站解析输入的数据,使用公钥对其进行加密并将其附加到电子邮件中。
阅读电子邮件的任何人都需要一个实用程序来使用私钥解密数据。 我想您会希望该实用程序自动侦听带有加密附件的传入电子邮件,并自动将它们解密到磁盘以节省每次手动执行此操作的人员。 或者,您可以有一些拖放实用程序,您可以将附件拖到其中以查看它。 只是一些想法。
If you've got your SSL set up for the page, that's most of the real PITA part of the job done. The user can connect on port 443, all the data they enter will be secure.
However, what most people haven't answered is the data transmission via email the transport of much of which can't be guaranteed secure - [I don't know how credible this reference is, but worth reading never-the-less: http://ask-leo.com/just_how_secure_is_email_anyway.html] so you would have to encrypt the data using some form of encryption yourself. Perhaps public/private key encryption - maybe RSA or similar. Encrypt the data using the public key, attach it to the email and mail it out. The email receiver then uses the private key to decrypt the data.
If you're using the mailto feature of the form, it's going to be time to get your hands dirty as you're likely going to need to do some coding. As far as I'm aware [and someone please correct me if I'm wrong], IIS doesn't have any ability to encrypt data going out via email - mostly because the receiving email program would likely have no way to decrypt the data, meaning that you need to specify the encryption algorithm, any keys, attachment method etc.
There are numerous libraries out there you can use to handle this. You haven't mentioned if you're programming this yourself or not, nor have you implied a programming language, but since you appear to be using Microsoft technologies, I'll point you to Microsoft's site as a reference:
http://msdn.microsoft.com/en-us/library/5e9ft273.aspx
Hopefully that should point you in the right direction. My thought is you'd need to have the site parse the entered data, encrypt it using the public key and attach it to the email.
Whoever is reading the email would then need a utility to decrypt the data using the private key. I would imagine you'd want the utility to automatically listen for incoming emails with encrypted attachments and automatically decrypt them to disk to save the person doing this manually each time. Alternatively you could have some drag/drop utility that you could drag the attachment to to view it. Just some thoughts.
您需要购买 SSL 证书并将 IIS 配置为使用该证书并且仅通过 SSL 连接为页面提供服务。 这意味着从用户浏览器到您的服务器到该站点的所有连接都是安全的。
You need to buy an SSL certificate and configure IIS to use that certificate and only serve the pages over an SSL conenction. This will then mean that all connections to that site are secure from the users browser to your server.