[PLUG] Secret message web page

Keith Lofstrom keithl at kl-ic.com
Sat Apr 14 17:58:52 UTC 2007 

I set up a "secret message to Keith webpage".  I think.  As I am
not a security guru, I could use some help checking my logic.

PGP is too hard for most people to figure out.  About every 6 months
or so, some random computer-illiterate semistranger needs to send
me a short secret message, say to send a password or encryption key.
These are not high grade defense-level secrets, but a little more 
than I want to trust to clear-text email.

Hence the webpage.  It is a simple form, accessable through port 443
(SSL https web service) on my server:
--------------------------------------------------------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head>
<meta name="description" content="Send Keith a Message form">
<title>Send Keith a Message</title>
</head><body>
<FORM METHOD=POST ACTION="https://www.keithl.com/cgibin/XXXXXXXXX.cgi">
   <INPUT TYPE="hidden" NAME="FORMVERSION" VALUE="XXXXXXXX.html 2007Apr14 KHL">
   Enter text to send to Keith Lofstrom in this text box
   <INPUT TYPE="submit" NAME="EXECUTE_OPTION" VALUE="Send page to Keith">
   <br><TEXTAREA ROWS=20 COLS=90 NAME="TEXT53"></TEXTAREA>
</FORM></body></html>
--------------------------------------------------------------------

The POST data is sent to the XXXXXXXX.cgi script (name obscured) on
my server, which sends back a confirmation page (https of course)
and emails me (internally, over a VPN link) the information and 
some environment information such as the date, the script and form
names, the IP address of the remote browser, and whether HTTPS is
turned on.

This is not bulletproof;  it is a self-signed cert, for example, so
it is somewhat vulnerable to a man-in-the-middle attack.  But hey,
if Eve works that hard to access the information, she would be more
interesting to talk to, anyway.  :-)

Is this an acceptable approach, or it it too weak to bother with?

Keith

-- 
Keith Lofstrom          keithl at keithl.com         Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs

More information about the PLUG mailing list