Secure employment app

[ohiowebpro]

I was wondering if anyone here has addressed this before. A client of mine has a application for employment online, and wants to make sure it is secure, since its asks for social security number. SSL can be used, but once it is sent by email, all security is lost. I don't really like the idea of keeping it on the server in a database either. Any Ideas?

Which do you think would be more secure, keeping the app on the server in a database and use an ssl log on to retrieve, knowing the server could be hacked, or just to email it right away and not save it on the server, knowing that email is not secure and could be intercepted?

[Smeagol]

My quick 5 cents worth, with email you have no idea what the routing is between servers and anyone 'could' intecept and read it. For me a big no no.

SSL or EV-SSL (the green stuff) seems the best. As for storing it, send it from the receiving web server to another server for storage, or encrypt the data before you save it to the local database.

I would surely go with SSL above plain email if these were the two choices.

[puamana]

SSL is a must on the url where the information is collected. I would recommend a Linux host server, with cgi-bin. An application can write to a log file in the cgi-bin, protected with .htaccess and an additional index file in the directory where it's stored. Permissions on the file can be set to the highest security, and still allow the application to write to the log.

The information should be retrieved by direct FTP connection, or by a management interface also in the same cgi-bin, with no cache tags. If your host has a local MySQL server, you might be able to use that sort of database, but I would verify that the server is not remote, before using it.

How many applications does your client take per day? If it's an extremely high number, then look at dedicated server hosting. If it's a small number, and not likely to grow a lot, then vps or shared hosting would work fine. The same kind of rules apply to sensitive credit card/financial data, when a shopping cart is using an 'offline' processing setup.

Hope this helps...
puamana

[puamana]

It also occurs to me that the cheapest way for your client to go would be a contract with a web-based form processing service, especially if they offer a secure form data collection service.

- p

[Doc]

I don't know that puamana's suggestion would be "cheapest" way to go, but it sounds like the safest.

Personally, I would recommend that the client not require especially sensitive information via the on-line form, such as SSN, DL no., Passport # and the like. Even if the company manages to get the information transmitted to it securely, there is still considerable liability in having it in their possession. Given that an applicant might be rejected for employment, and decide he has a bone to pick with the company, why give them any ammunition? Get that information in person, at the interview.

[seopo]

You can always encrypt your email. Or if your that worried you can always spilt it half & half i.e. half the info in the DB & half via the email and then join them later.

What happens once you receive the data though? Is it stored locally somewhere? This could be the same situation with storing on your webserver.