SecureForm

How SecureForm works

When you click on the secure form link (eg. pay account) link, you are transferred to a form on our secure SSL server, secure.clari.net.au. The browser indicates that a secure, encrypted connection has been established by showing a locked padlock icon in the status bar:

Netscape shows   Internet Explorer shows

Our secure server is able to create secure SSL-encrypted connections to your browser, and supports 128-bit SSL-encrypted connections. The actual strength of the encryption established depends on your browser—some browsers can only establish a 40-bit encrypted connection. U.S. export restrictions were loosened in December 1999, so browsers are now available outside the U.S. that support full 128-bit encryption. You may like to visit either Netscape, Firefox or Microsoft to download a browser that supports strong encryption.

As an additional security measure, we have configured secure.clari.net.au to only respond to requests for SSL-encrypted connections.

Technical note: secure.clari.net.au only listens on port 443, not the standard port 80. This forces users to use https:// (SSL) to retrieve a page rather than http:// (standard http).

Once you fill in the form and click the submit button (on our account payment form, this is the `I authorise this payment´ button) your details are processed by a CGI script which saves the details to a data file on the secure server. This file is stored in an area of the secure server that is not accessible—not even to you!

Technical note: The data file is stored outside of the web document root, making it far less vulnerable to attack from `the world´ (users with access to web documents).

As well as saving the details to a data file, the script sends an e-mail notification to the owner of the form to let them know that the form has been submitted. No data from the form is sent in this e-mail. The e-mail notification contains the URL of the message-pickup page—most e-mail clients allow the user to simply click (or double-click) on the URL to go straight to the message-pickup page.

Technical note: The URL for the message-pickup page is in the form of https://secure.clari.net.au/username/message-pickup.cgi. The URL is fully specified using https:// so that a secure connection is established.

Remember, even if the form owner attempted to retrieve the messages unsecurely by typing the URL using http://, the server will not respond on port 80, forcing them to use https:// to retrieve the data securely.

When the message-pickup page is loaded, the form owner must enter their password and click the submit button to view the output from the form. The data is only viewable via an SSL-encrypted browser session, maintaining the security of the data from submitter to recipient at all times.

Output from subsequent form submissions is appended to the end of the data file. This means that the data file can become fairly long and unwieldy after a period of time. There is a reset function which allows you to delete the contents of the data file. The reset function should only be used after the data from the files has been printed for your records.