Digital Signature for Website

Chan_ZA

Active Member
Joined
Nov 26, 2008
Messages
44
Reaction score
0
Hi Guys,

I am pretty familiar with building and maintaining static/dynamic websites, however it seems to have come across something I need to do find out about.

The website I have done is a lodge and now I need to create a booking form for people to agree to certain terms and conditions ie. Not sign a physical sheet of paper but submit their details online (Name, Surname, ID Number, etc) as they would do with the terms and conditions that they would normally sign for staying at the lodge.

What are the requirements of these ?

Do I need to do it on a secure site ?

What actually does this involve ?

I know there are legal implications, therefore I am asking now, before doing something and is not correct.

Any help towards this would be much appreciated ... Sorry if I am not so clear, as I am not sure what I am getting myself into ...

Thanks
 
You seem to have merged quite a few different concepts into one or more seperate concepts, so lets split them out.

- A website can have an SSL certificate which is used for 2 different purposes.

1. If I am visiting your site I can verify that you are who you say you are. I can look at the certificate to make sure that the webiste it in fact being run by you and isn't a fake website made to look like yours.
2. All of the HTML pages my browser and your web server exchange are encrypted so no-one else can see what we are saying to one another.

- If you are going to be collecting personal information from website visitors your would want it for reason 2 above. That personal information would be encrypted before it was sent by their browser to your webserver. Legally, you could probably be held liable for not keeping this information secure.

- It seems you want to somehow identify the person entering the information. You can't do that, they don't have an SSL certificate on their side confirming who they are, so there is no way to confirm they are who they say they are.

- How do you do this? You need to go to a site that sells SSL certificates (Verisign) and buy one, they will tell you how to install it on your webserver. If your site is hosted by a hosting company, they might be able to help you out as well.
 
It's a horrible mess.

First off, it's a basically legal contract you're entering into with the website user, so, the website user has to be assured that they are actually talking to your website, and not some other website pretending to be your website. This is the Machine Identification part.

Then, you have to ensure that the stuff that the person is typing in is not going to be intercepted and read as it passes over the internet. This is the encryption part.

Then, the details that the user has entered and handed over to you for safe-keeping, must be stored safely, and audited accordingly. This is the trust part.

So, now you're going to have to get somebody else involved here that the web client can trust. These people sell secure certificates which are used to identify the web server (Machine Identification) and to encrypt the transmission (Encryption part), and they also sell the (trust part), where they do limited auditing and such.

Now, the web browsers that the web clients use all subscribe to a pre-programmed set of "SSL providers" (Secure Certificates), and the browser will automatically verify any certificate presented from any of these trusted providers. No other certificate providers will be automatically trusted, so you are forced to use these providers of SSL certificates.

The ones I know of are Verisign and Thawte.

There is only one SSL provider of those certificates in this country as far as I know. If you cannot find them on google.co.za, send me a pm i'll give you their home page url.
 
Last edited:
Whoa !!!

Thanks for the response guys ... Makes some sense to me and also seems to be a little out of my league ! I guess the biggest part is obviously the legal aspect.

Once a SSL certificate is installed on my webserver .... in terms of the coding and capturing of details .... Does it still remain the same process of capturing details via forms or does this change in terms of handling the way the information is passed ?

Basically should I go ahead and attempt this or pass this task to another company ?
 
Just take note that an SSL certificate is expensive (in the region of R1500 per year).
 
If you're not collecting any credit card information with the booking form I'd save myself the R1500.

According to the ECT Act the booking T&C is legally binding if the user agrees to it (even if they don't sign it physically, "signing" it electronically by agreeing to it binds them to it's contents)

You don't need encrypted data for that unless the personal details being collected includes credit card forms.

RE: your other question. Nothing changes except instead of redirecting them to http://www.thiswontbecheap.com/booking.html you will redirect them to https://www.thiswontbecheap.com/booking.html before gathering their information.

Also make sure to submit the page to https://www.thiswontbecheap.com/whatevercapturesandprocessesthedata.html otherwise you'll lose the integrity in the first place.

Let me repeat this

you do not need a SSL certificate if you're not capturing sensitive data like credit card information. The legality of the T&C being agreed to on the website does not, I repeat, does not affect anything legal

That being said, it's a "nice to have" if you have a SSL certificate to ensure people you are who you are. But again (yay for repeating myself because I've seen so many people fall into the trap of buying a SSL when they don't need one).... you only need one if you're going to capture sensitive credit card or banking detail data
 
Oh and btw, Thawte is South African owned (or was, HQ in South Africa, Mr Shuttleworth ring a bell?)

So coming up with www.thawte.com isn't too hard and will save you a pm
 
Great - Thanks again guys. I really do appreciate the help you have given me.

I will NOT be collecting Credit Card information, so there is no need for the SSL certificate. This does make things a whole lot easier. Well now to create the pages for booking forms and I should be done in a few days.

Away I go !
 
Top
Sign up to the MyBroadband newsletter
X