Does Your Library Use SSL to Protect Patron Data?

Richard Wiggins wiggins at mail.com
Mon Apr 9 22:11:26 EDT 2001


This is a hot button issue for me.  When Netscape first promulgated SSL, I think they conveyed a huge false sense of security to all of us.  Implemented properly, SSL covers transmission of transactions over the Web.  It does nothing to address the security of content stored in your back-end databases.

There was a wonderful Dilbert about the safety of transactions on the Web.  Two of the characters are out to eat.  One is pontificating about how he would NEVER buy anything on the Internet; it's just not safe.  He pays with a credit card while pontificating.  The server (waitron) comes back wearing a new mink coat.

IMHO, it's great and good to protect your patrons' transmission of confidential information to your servers.  In practice, I believe for most patrons, the real risk of interception of that information is extremely low -- in most cases, practically nil.  If the patron is dialing into an ISP, I simply refuse to believe that there are people at that ISP, or at the intervening networks between the ISP and the library, intercepting traffic.

Where there is a risk of interception is where Internet pipes are shared in a way susceptible to sniffing.  Potentially, patrons entering confidential information at a cybercafe, or in a public lab in a university, or over an office LAN, might have their information intercepted.  So that's why it's worth doing SSL.  (Though I think any sniffers probably seek credit card numbers, not library transaction data.)

But the real question is, what do you do to secure the information on your servers?  This is where real compromises of privacy occur.  There have been a dozen or more stories of real breakins to back-end servers, where thousands of private records, including credit card numbers, have been compromised.  C'mon, when was the last time you read a news story about a SINGLE instance of someone sniffing private information during transmission between end user Web browser and remote e-commerce server?  I will donate $100 to the favorite charity of the first person who can cite a credible news story of such an interception of a confidential business transaction.

So ask not if the Internet is secure, ask if your servers are secure. How is the data in your back-end databases protected?  Is it encrypted?  Is it behind a firewall?  Has anyone done an audit to make sure basic, known security holes are closed?  Do you purge confidential data from servers when no longer needed for business reasons? These issues are from 100 to 1000 times more important than any issues relating to interception of your patron data during Internet transmission.

Consider these real news stories:

350,000 credit card numbers stolen, posted on the Net:
http://www.infowar.com/hacker/00/hack_030300e_j.shtml

Thousands of Western Union customers' credit card numbers stolen:
http://www.nandotimes.com/noframes/business/story/0,2469,500249389-500371754-502230294-0,00.html

Two Welsh teens steal 26,000 credit cards online:
http://www.apbnews.com/newscenter/internetcrime/2000/03/24/curador0324_01.html

/rich


> -----Original Message-----
> From: Donna Schumann [mailto:schumann at timberland.lib.wa.us]
> Sent: Monday, April 09, 2001 2:02 PM
> To: Multiple recipients of list
> Subject: [WEB4LIB] Does Your Library Use SSL to Protect Patron Data?
> 
> 
> We are in the process of adding a library card application form to our
> web page. As we have talked about the implications of patrons filling
> out an Internet form with name, phone number, address, etc., we are
> coming to the conclusion that we really need to use SSL to protect
> patron privacy. This now has us looking at the lack of security for
> patrons placing holds over the Internet. Our patrons can access the
> catalog using either telnet or WebPac, and when they place 
> holds, their
> library card number, PIN, name, address, phone number, etc. is
> transmitted. We know that the telnet data is being sent as clear text,
> and we suspect that the same is true with WebPac.
> 
> How are other libraries dealing with this?
> 
> Also, are there any words of wisdom about setting up SSL? (We're using
> IIS.) Do we need to go through VeriSign or can we just use MS
> Certificate Server to generate our own certificates? How much does it
> cost to get a VeriSign certificate?
> 
> Thank you! Donna 
> 
> -- 
> Donna Schumann, Computer Application Specialist
> Timberland Regional Library, 415 Airdustrial Way SW, Olympia, WA 98506
> Voice: 360-704-4542  FAX: 360-586-6838  Email:
> schumann at timberland.lib.wa.us
> 

------------------------------

End of WEB4LIB Digest 2202
**************************
__________________________________________________
Richard Wiggins
Consulting, Writing & Training on Internet Topics
http://www.netfact.com/rww  wiggins at mail.com
517-349-6919 (home office)  517-353-4955 (work)  
______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup


More information about the Web4lib mailing list