personal information storage question

[matt-urrlRJtNKRMsHrnhXWJB8w at public.gmane.org (Matt Shields)]

On Sat, May 1, 2010 at 2:43 PM, Kent Borg <kentborg-KwkGvOEf1og at public.gmane.org> wrote:

> Eric Chadbourne wrote:
> > I have a couple of local small insurance companies that need their
> > websites redone.  Looks like they are going to let me do it.  Are there
> > any industry specific security standards i have to be concerned with?
> >
>
> The credit card people have some (I think) public standards that might
> be worth looking at.
>
> > Such as with an HTML form that collects info for a request for a quote?
> >
>
> Don't talk to children. Some specific laws about that. European laws can
> be very strict, they probably don't apply to you, but might be worth
> Googling to get you thinking.
>
> > Thanks for any tips!
> >
> > Eric C - the one who wants to encrypt everything.
> >
>
> Yes on encryption. I would start with running everything over https,
> even the home page. Immediately redirect from http. (There are ways to
> do man-in-the-middle if one can grab the http connection first--people
> don't watch for the httpS and the padlock isn't really paid attention to
> and there is room for at least partially faking them). Don't trust that
> https is completely secure--what if the CA is served with a court order
> to supply keys?
>
>
Depending what you're doing you may need more than a plain SSL Cert for your
website.  There are different grade's of encryption for SSL and the higher
grades of encryption usually also have higher level of warranty against
mis-use.

-matt
http://www.sysadminvalley.com
http://www.beantownhost.com
http://www.linkedin.com/in/mattboston