How to Secure Forms and eMails

Jun 11, 2019Security

We’ve been talking about the lack of security in collecting web form submissions and sending that data in emails. When we utilise online forms, our visitors trust and security should be our number one concern. As you know, special laws govern the collection of electronic protected health information.

We hope you are already making sure the form itself is secure through SSL (TLS), field validation and CAPTCHA (or some other type of Challenge-Response system). These are pretty standard and likely you have them set up already.

So, is there a way of collecting the website form submissions in a secure way? Yes! There are several different strategies for doing so, and new ones evolving all the time. Let’s look at just some of them.

Limit Collection of Sensitive Data!

Seems obvious but there’s a lot of temptation to collect as much as we can. Date of Birth, Address, Phone number are all sensitive data and needs to be protected for your users sake and yours. Sometimes the best way of protecting it is DON’T ASK FOR IT in the first place if you have no real need of it. Just because we can doesn’t mean we should.

If there is a need, could it be more generalised and therefore less of a security risk? For example, ask for age instead of DOB, postcode instead of address.

Encrypt the Emails

It is possible to encrypt the email that is sent from the website (where the form is) to your inbox. Of course, once its in your inbox it has to be de-crypted! This method does require a little technical know-how.

There are two key steps: installing a plugin on the website and adding the encryption keys, and installing an addon to your email program and inserting the encryption keys.

On a website using wordpress, for example, you can install a plugin such as “WP PGP Encrypted Emails”. Follow the instructions in the documentation for setting up your PGP Public Key and Private Key.

In the email program (email client) on the computers that will read the emails, an encryption addon will need to be installed. for example, GPG4Win works with Outlook, and Enigmail works on Thunderbird. The relevant private key is entered and the program decrypts any email sent from the website. And Viola! secure receipt of form submissions.

Send Submissions to a Secure Third-Party

If you have the ability to view form submissions through a login on your website that has SSL (Secure Socket Layer), what you are viewing is protected by the SSL of the site.

You can also connect your site form submissions to another secure content provider such as Dropbox, Google Docs, Mailchimp or your specialised office software such as Medical Practice Management Software. These sites/apps have the ability to be connected to your form over a secure connection via API (application programming interface) and receive your data. Within these sites/apps you can view the data securely.

Use a Third-Party Form

A third-party form provider takes care of a lot of security for you. You can view the form submissions online when you login to your form provider. You may also be able to send the data from there through a secure connection to another service. However, in most cases emailing the form submission is not secure, unless you have encrypted email.

Some are third-party forms are free and some are ‘paid-for’. Be aware that if they are free then YOU and your data are the product and you’re users’ privacy is likely also a part of that product. Warning!! Here’s a list of five more common ones, in no particular order.

  • Google Forms – you can create powerful forms quickly and easily
  • Microsoft Forms – good for collecting and analysing form results in Excel
  • Wufoo – handy for quickly creating graphical reports
  • JotForm – highly customisable forms for free
  • Formstack – good for complex work flows and regulated businesses

Next time we’ll talk about online security in general. Stay tuned.