Michael Doran Home Page
Contact | Site Map | Search  
  Home > Archives > Adding SSL to Apache > Why Bother?
This page is deprecated: please read archives disclaimer.

Adding SSL to Apache for WebVoyage, a VUGM 2001 Technical Session

Why Bother?

(with secure transactions)

  User Expectations

E-commerce web sites have raised the awareness of most users to the desirability of secure transactions. They have come to expect that any personal information that they send or receive is secure from other eyes.

Anytime you ask someone to submit personal data via a web form, or you display information about them from your database, that information is sent across the internet. Given a choice, most users would prefer to keep such information private.

  WebVoyage's Patron Information

A typical WebVoyage OPAC session does not involve any sensitive information. That is, if we discount the issue of whether a patron's search strategy is deserving of privacy. And we are discounting it for this discussion. :-)

However, when users access the "Patron Information" component of WebVoyage, they are transmitting and receiving sensitive information. They are submitting their last name and (in our case and many others) their Social Security Number. And in return they receive a page containing their full name, address, and phone number, as well as information such as charged items. This more obviously falls within the realm of personal information that a user expects to keep private.

  It's The Law

Okay, maybe it's not the law where you live, but it's the law in Texas. At least for state web sites, which we are considered to be. It's all right there in Title 1 of the Texas Administrative Code, Section 201.12, Subsection b, Paragraph 5. To wit... 

1 T.A.C. Sec. 201.12. State Web Sites.

  (b) All state agencies will adhere to the following:

     (5) Prior to providing access to information or services
         on a state Web site that require user identification,
         each state agency shall conduct a transaction risk
         assessment, and implement appropriate security and
         privacy safeguards. At a minimum, state Web sites that
         require a citizen to enter the following information
         shall use an SSL session or equivalent technology to
         encrypt the data:

         (A) Both the individual's name and other personal
             information, such as an SSN;

         (B) Transaction payment information; or

         (C) An individual's identification code and password. 

         Further guidance concerning server certificates and
         encryption key length are contained in SRRPUB11 at 
         http://www.dir.state.tx.us/standards/srrpub11.htm

 
  And Furthermore

One might argue, "That's all well and good, but we're not required by law to provide it. And really, why would a hacker even try to intercept a Patron Information session?"

In response, I would answer that in the Grand Scheme of Things, it is probably a pretty remote threat. However, aside from insuring patron privacy, installing SSL is a good exercise and you will likely find additional, more compelling uses for it once you have added it to your security tool kit.

Michael Doran     -     University of Texas at Arlington     -     UTA Libraries