[Web4lib] Summer Reading Program - Online Registration & Book Log

Cloutman, David DCloutman at co.marin.ca.us
Mon Jun 9 14:31:26 EDT 2008

The lack of the SSL certificate is the least of your problems. Users do
not need a password to login to their account. Anyone who knows the name
of a child and their birthday can log in as that child!

Under other circumstances, I wouldn't be too concerned about encryption
of what is relatively insensitive data, but because you're passing
around names and birthdays, you are starting to get into the realm where
identity theft could become an issue. Because you're doing this, you
probably should encrypt the data. (I don't know why someone would steal
a child's identity, but I always expect crooks to do the unexpected. The
best scams are always novel.) Next time you should stick to the standard
username / password combo. It is the standard in authentication for good

That aside, you can implement SSL without purchasing a certificate. You
simply need to generate your own certificate. The browser will simply
say that the certificate is unverified, and the user will have to either
accept or deny the certificate. If they accept, you will achieve the
encryption benefit of SSL. How you do this is documented on the Web, but
will be unique to the SSL software that your Web server is using.

David Cloutman <dcloutman at co.marin.ca.us>
Electronic Services Librarian
Marin County Free Library 

-----Original Message-----
From: web4lib-bounces at webjunction.org
[mailto:web4lib-bounces at webjunction.org] On Behalf Of Pruntel,Alison
Sent: Monday, June 09, 2008 10:56 AM
To: web4lib at webjunction.org
Subject: [Web4lib] Summer Reading Program - Online Registration & Book

Please excuse as I am posting this to several lists.


Our library system offers summer reading program participants the
ability to register and log their books online (see
reading.fauquiercounty.gov). We received a complaint from a parent
because our SRP site is not secure (she noticed the absence of
SSL/certificate). Frankly, we hadn't considered it, as the cost
($399/year for Verisign, which is the preferred vendor of our county) is
rather prohibitive for the 8 weeks we would need it. We do offer patrons
the option to sign up in person/fill out a paper form, which is probably
just as "secure." 


How are other libraries dealing with this? I've been looking around at
other VA public libraries and so far have not found one where the https
was invoked, whether for online signup for the summer reading program or
other programs that allow online registration.


Short of shelling out this much money, any suggestions? I'm also
concerned because we allow patrons to submit personal information when
they apply online for a library card or a volunteer position. Maybe we
should have SSL on these areas of our site as well.


We would also be interested in any feedback about 3rd party applications
we can use for the online registration/stats/book logging. Our IT
department created our current version but are not able to make changes,


Thanks in advance for any information you can provide.




Alison Pruntel 
Electronic Resources Librarian 
Fauquier County Public Library 
11 Winchester Street 
Warrenton, VA 20186 
540-349-2770 (voice) 
540-349-3278 (fax) 


Web4lib mailing list
Web4lib at webjunction.org

Email Disclaimer: http://www.co.marin.ca.us/nav/misc/EmailDisclaimer.cfm

More information about the Web4lib mailing list