Re: WebOPAC and encryption

[Peter Murray <PMurray@xxxxxxxxxx>]

--On Tuesday, August 15, 2000 9:55 AM -0600 Kim Crowley 
<crowley@xxxxxxxxxx> wrote:

> He claims that a sniffer somewhere on the web could garner his customer
> information that he has accessed by putting in his name and library
> card #.  Does that customer information (name, phone#, address) actually
> "travel" across the Internet or is the only thing that can be hacked his
> library card # and name that he inputs to gain access.

If he is using View Patron Record, his name/address/phone is travelling 
across the Internet unencrypted and it would be possible for a 
properly-placed third party to sniff that information off the network.  One 
would really have to try hard to get it, though.

Someone else mentioned getting a certificate from Verisign to enable secure 
communications.  The INNOPAC WebPAC, though, would have to support the SSL 
protocol in order to make use of the certificate, though.  That is an 
enhancement that has been asked for a number of times, it even might have 
been on last year's IUG list, but I haven't heard of Innovative doing the 
development work yet.

I *THINK* (someone correct me if I'm wrong), that Verisign must "certify" 
web server software as 'secure' in order to have certificates generated for 
sites using that server software.  That is what held up Apache server's SSL 
certificates for a while.  Since WebPAC isn't using a commonly used web 
server, Innovative may have to go through the process of having their 
software certified by Verisign.


Peter
--
Peter Murray, Computer Services Librarian              W: 860-570-5233
University of Connecticut Law School             Hartford, Connecticut

--
This message was distributed through the Innovative Users Group INNOPAC list.
Private replies:  Peter Murray <PMurray@xxxxxxxxxx>
Public replies:   INNOPAC@xxxxxxxxxx
Archives:  http://innopacusers.org/list/archives/