On many provider websites, when your filling out the personal info (name, occupation, work #, etc.) I've noticed that on the navigation toolbar that the security is never locked....Which I think means that the site is not encrypted...

Isn't it easier for hackers to obtain info. when that security toolbar is not locked?...Can providers secure their sites easily, or it more complicated than that?....Any computer savvy people know about security/encryption & risks involved when filling out info. on a non-secure page.....

Thanks...

that security is a self-comforting illusion, at best.

you shouldn't transact or disseminate any information on the internet, the release or retransmission of which, would have you in a bind (as you yourself would define a "bind")

any "computer savvy" person who tells you that you have nothing to worry about if you were to just use SSL or some other encryption technique is kindly blowing smoke up your chimney -- all good intentions aside

my own policy is to pause right before hitting return (or clicking my acceptance of the terms) ... and to ask myself ... is it ok if i was to also Cc a copy of this transaction to so-and-so? ... and if the answer is yes, then it's a go!

my (insecure) $0.02  

The lock indicates that SSL encryption is in place, but that generally only indicates the message will be encrypted between you and the recipient.  That's how hackers get credit card #s from retail and bank computer systems.  The #s may be encrypted during transit, but many systems don't encrypt them again for storage AFTER the message has arrived at the destination.

In most cases, the form you fill out sends the information via e-mail to the provider.  After you click "send," a program is invoked which puts all your information into an e-mail format, then  e-mails it to whatever address has been designated.

Nonsecure information can be picked up by "sniffers"
http://www.robertgraham.com/pubs/sniffing-faq.html
(see topic 1.1 "What is a sniffer?"

Sniffer-like technology is what the spooks use to monitor internet traffic to catch spies, al quaeda, elderly people who buy their prescription drugs in Canada, and people who submit unflattering stories about Dubya to "The Onion."

Both Singleton and bikebryan are right on the money. As far as filling out information goes, think of it as sending information via email. If you're comfortable sending out the information in an email to a bunch of friends, then you should feel comfortable filling out an online form (from a security standpoint anyway).

As far as the security icon on the browser goes, the security mechanisms built into most web browsers and web servers are designed to take data entered from a browser and encrypt it prior to transmission to a webserver. What happens after that is determined by what the receiver chooses to do with it.

That being said, there are ways to secure communication such as e-mail, both during transmission and for storage afterwards that are pretty easy to use. The caveat is that both the sender and receiver have to want to participate in encryption.

You can use PGP (Pretty Good Privacy) or one of its derivatives to secure all of your personal communication. I've enclosed a link to a PGP information website. You can find PGP software there that is free for Windows, MacOS, Linux, *nixes, and others. There are many other sites as well, just do a search for PGP or Pretty Good Privacy.

You can read all about it on the site, but basically the way it works is that you choose a _good_ password. Using the software, you generate two encrypted keys with your password. One key is a private key that is stored on your computer. You keep this key private and treat it and your password like Fort Knox treats gold.

The second key is a public key. You can give it to whomever you want, even post it for the entire world to see. Anyone who wants to send you something: email, a sensitive document, or whatever, uses the software and your public key to encrypt whatever it is that they wish to protect.

Once encrypted, the only way to decrypt it is to use the private key and the password, which only you have. Even the originator can't reverse the process. Only by having the private key and the password can you decrypt the content.

The basic idea is that you collect the public keys of the people with whom you wish to correspond and share yours with them. When you wish to correspond securely, you use that person's public key. When they choose to respond, they use your public key.

Many of the software programs derived from PGP also let you MANAGE your correspondance and documents. They allow you to store your correspondance in an encrypted fashion. A lot of them also seamlessly plug in to e-mail clients such as Outlook, Netscape, Eudora, and others. This is handy as you can type your message and then click a single button to encrypt and send e-mail. The encrypted version of the email goes into your "Sent" folder. No version of the unencrypted variant remains.

One thing you need to be aware of is that using someone's public key requires a certain amount of trust. How well do you trust the person whose public key you are using? If you know the person and  they gave you the key personally, I'd say you can trust it. But if you received a plain-text email containing a public key from an unknown entity you have to weigh it's validy.

There's a concept of building a "ring of trust" whereby you may not know the owner of the public key, but someone you do trust vouches for it. A complete discussion isn't feasible here, but the website below and others discussing PGP talk about it.

As far as this hobby is concerned, I would love it if providers published a public key (on their "contact me" page or advertisement for instance). Of course, they don't know you from Adam (or Adam 12), so they have to decide how much they trust you, but you could at least initiate secure communications and not worry about leaving plain-text evidence lying around. It would be nice to find a way, say a central, trusted location, where hobbyists' keys could be vouched for.

On a side note, with PGP you can generate _very_ secure keys. The longer the key, the harder it is to crack. The keys generated by web browsers are, at most, 128 bits in length. That's a pretty secure key, but PGP lets you create 1024 bit keys. that's 10 orders of magnitude (or 10,000,000,000)) times harder to crack.

As long as you don't choose an easily-guessed password, it takes some _serious_ resources (think government agencies or _really_ big corporations) to crack that key in a reasonable amount of time. Even so, it costs about $750,000 to do it, (time, personnel, etc.) so someone has to want that key really bad.

Depending on the script used, it is possible to have the form information e-mailed to more than one address.  Some ladies' websites are prepared by others ("webmasters/webmistresses")...it would be possible for an unscrupulous, or voyeuristic, webmaster to have copies of the form sent to him/her (unbeknownst to the provider).   Of course, I doubt that it ever happens in real life, but it is a possibility...mentioned only in the sake of public interest and paranoia provocation.

SSL is not an illusion.  It does what it was designed to do and does it very well, protect information in transit.  

Our conversation here for example is not protected by SSL and is transmitted in cleartext on the Internet yet we do it anyway.  Why?  Because the benefit far outweighs the risk.

I believe what you may have meant is that using SSL by itself only addresses one of the threats to confidentiality.

Without getting into it, there are bigger threats to confidentiality than those related to the absence of SSL for this kind of scenario which is why I do not use provider website forms to provide any confidential information about myself.

"I doubt that it ever happens in real life, but it is a possibility" -- mephistopholis


i can envision many such scenarios, a (secretly) jealous ex-boyfriend/webmaster, mercenary web hackers who are in cahoots with agencies ... you name it

in its almost evolutionary conflagration the internet is a good mimic of good old "Mother Nature" -- if by hook or crook some little teeny thing can be exploited then it almost certainly will and exponentially so.

my own net mantra is: be paranoid, be very paranoid!  (adapted from the movie THE FLY)


F20238 43D7FL 3234#@ 8LSKJF 98Q23 A8SD19 1#@5FG
97FDKS 13FL23 ASA8FD #@234L ASLFW 8URJ3R 90FDS2
2KLJ34 KLJLK3 234808 423#21 SDF23 98FSD7 F82934






Hi Mom!  

I am not a computer security expert nor even a computer professional in any area of expertise but I would agree with
h@ck_thi5 when he states that "there are bigger threats to confidentiality than those related to the absence of SSL"

SSL is typically used on commercial websites such as Amazon.com
where confidential information including Names, addresses, and CREDIT CARD NUMBERS are being transmitted via the internet.

My concern with provider website forms is the uncertainty associated with how the information is handled once it is transmitted and received. Are files stored on a server or the provider's home/office computer? Are hard copies printed out for future reference? Any number of things could happen to compromise this information even though it may be innocent/unintentional.

I am new at this "hobby". I recently saw my first provider. She is well reviewed on TER and she has a website with a "Date request form". I chose not to submit my confidential information via this form precisely because of the type of concerns raised in this thread and those that I have alluded to here. Instead I chose to contact her by email and expressed my concern about providing the requested information over the internet. I let her know that I was willing to provide the information and asked to speak to her over the phone about the matter.

I understand the personal security issues that these women face.
I therefore agreed and did provide the information over the phone and she was OK with that. Afterall she was getting exactly the same information but via a different method.
Of course the information is perhaps written down and could I suppose be carelessly discarded or left laying around but it is usually much more sketchy and less likely to be kept in a more permanent fashion the way it might be if stored as a computer file somewhere.

Eventually there has to be some level of trust on both sides and a willingness to take a calculated risk.

By the way we had a great time, or at least I did, and she has agreed to see me again and was very complimentary toward me so I must be doing something right!