[WEB4LIB] Does Your Library Use SSL to Protect Patron Data?

Mark Ellis mark.ellis at rpl.richmond.bc.ca
Mon Apr 9 18:54:21 EDT 2001 

Hi Donna,

We're using SSL for all our booking, registration and card application
functions, but not for catalog access.  There is a fair amount of processing
overhead for SSL connections--it's particularly noticeable when you
initially set one up. (i.e.. switch from http to https)  I don't think it
would a good idea for something as heavily used a catalog.

You do need to purchase a certificate from a certificate authority (CA), but
not necessarily from Verisign.  They had the inside track because their root
certificates were built into the first versions of Netscape, but other CAs
exist and should be seriously considered especially now that even quite old
browsers know about them.

The price difference can be persuasive:

Versign:	$349
Thawte:	$125
Equifax:	$99

http://www.thawte.com/certs/server/contents.html
http://www.verisign.com/products/site/secure/index.html
http://www.equifaxsecure.com/digitalcertificates/dc_webservcert.html

We currently have a Verisign cert, but I'll likely purchase Thawte's when
our current one expires.


Mark Ellis
Manager, Reference and Information Services
Richmond Public Library  
Richmond, B.C.                      
(604) 231-6410
www.yourlibrary.ca


> -----Original Message-----
> From: Donna Schumann [mailto:schumann at timberland.lib.wa.us]
> Sent: Monday, April 09, 2001 2:02 PM
> To: Multiple recipients of list
> Subject: [WEB4LIB] Does Your Library Use SSL to Protect Patron Data?
> 
> 
> We are in the process of adding a library card application form to our
> web page. As we have talked about the implications of patrons filling
> out an Internet form with name, phone number, address, etc., we are
> coming to the conclusion that we really need to use SSL to protect
> patron privacy. This now has us looking at the lack of security for
> patrons placing holds over the Internet. Our patrons can access the
> catalog using either telnet or WebPac, and when they place 
> holds, their
> library card number, PIN, name, address, phone number, etc. is
> transmitted. We know that the telnet data is being sent as clear text,
> and we suspect that the same is true with WebPac.
> 
> How are other libraries dealing with this?
> 
> Also, are there any words of wisdom about setting up SSL? (We're using
> IIS.) Do we need to go through VeriSign or can we just use MS
> Certificate Server to generate our own certificates? How much does it
> cost to get a VeriSign certificate?
> 
> Thank you! Donna 
> 
> -- 
> Donna Schumann, Computer Application Specialist
> Timberland Regional Library, 415 Airdustrial Way SW, Olympia, WA 98506
> Voice: 360-704-4542  FAX: 360-586-6838  Email:
> schumann at timberland.lib.wa.us
>

More information about the Web4lib mailing list