Brainiac

Question

New Data Protection Laws UK

Forum|Forum|7 years ago
February 20, 2018
3 replies
1802 views

Not sure if anyone else is from the UK but we have new EU data protection laws coming into force on the 28th May.

One of my clients is getting spooked as his site is not 'secure'.

He has forms on it that collect personal data ie names, addresses, email etc and under these new laws that information should be encrypted or secure.

Am I corrcet in thinking if the files were moved onto a secure connection - https: that all the data is protected?

If so I cant work out what I'm meant to be looking for:

If I move a file onto a secure connection I still get a orange triangle plus the grey paddlock instead of the green paddlock:

'A grey lock with an orange triangle indicates that Firefox is not blocking insecure passive content. Attackers may be able to manipulate parts of the page, for example, by displaying misleading or inappropriate content, but they shouldn’t be able to steal your personal data from the site.'

I can't see anything in the pages code that would be unsecure all links to external sites use the https: secure protocol apart from one which is http - even if I remove that link I still get the orange triangle plus the grey paddlock.

Any clues, welcome.

Os

This topic has been closed for replies.

pziecina

Brainiac

What I have never been able to work out about data protection laws, is that anyone can register a domain name from any country. To me it would make more sense if they restricted domain registration to the country the registrant is living in, (obviously not retrospective, as that would cause chaos). That way it would be easy for the user to check which country the site is registered to, and what laws should apply.

eg - if you live in the U/K then the domain name would end in .uk

Currently one can register any domain name from almost any country.

O

osgood_Author

Brainiac

pziecina wrote
What I have never been able to work out about data protection laws, is that anyone can register a domain name from any country. To me it would make more sense if they restricted domain registration to the country the registrant is living in, (obviously not retrospective, as that would cause chaos). That way it would be easy for the user to check which country to site is registered to, and what laws should apply.
eg - if you live in the U/K then the domain name would end in .uk
Currently one can register any domain name from almost any country.

Its all foreign to me at the moment.

WolfShade

Brainiac

I have tried to get into the habit of using protocol agnostic links for everything.

Like so. I do it because my personal dev environment doesn't have SSL/TLS, but production does, so I don't have to change the code before pushing to production, and I don't have to write hack-ish code conditionals. But it has the benefit of using whichever protocol the browser is accessing, so all links are either secure or not-secure, simultaneously.

HTH,

^ _ ^

Teodor K

Participating Frequently

Encrypting data sent from the forms to the database is just a small part of GDPR. Also you need to make sure that not only you are using SSL for your site (to ensure personal data encrypted during the transit) but also you have to encrypt the pesonal data in the database table so if the database was breached the data would still be exposed.

---DMXzone | Wappler

O

osgood_Author

Brainiac

https://forums.adobe.com/people/Teodor+K wrote
Encrypting data sent from the forms to the database is just a small part of GDPR. Also you need to make sure that not only you are using SSL for your site (to ensure personal data encrypted during the transit) but also you have to encrypt the pesonal data in the database table so if the database was breached the data would still be exposed.

Thankfully no personal data is stored in a database

pziecina

Brainiac

osgood_ wrote
Thankfully no personal data is stored in a database

It's not just personal info stored in a database, but all personal date that the person/company/organisation stores by any means, (even the old card index) that must be securerly protected.

This is one of the reasons that the js api does not allow access to a users personal contacts from a browser, and why a number of old iOS/Android apps have been removed, (they sent the data back to a server).

BenPleysier

Community Expert

I have started to move my customers' sites behind a Secure Socket Layer (SSL or TLS). My Host has recently installed https://letsencrypt.org/ on my server so that I do not have to pay for the certificates.

If you want to know more Google the subject

Wappler is the DMXzone-made Dreamweaver replacement and includes the best of their powerful extensions, as well as much more!

O

osgood_Author

Brainiac

BenPleysier wrote
I have started to move my customers' sites behind a Secure Socket Layer (SSL or TLS). My Host has recently installed https://letsencrypt.org/ on my server so that I do not have to pay for the certificates.
If you want to know more Google the subject

Hummm.......this is annoying and confusing

I think this client has a certificate because if I stick https:// before any of the page urls the pages still appear but stuff like insecure links to jquery etc stop working, which is not an issue because I can update those links.

How does a server know how to find a secure page as default? At the moment all urls are http:// so if you type a domain name in like abc.co.uk it just finds the index.php page - http://www.abc.co.uk/index.php . Does the hosting provider have to set something up so when abc.co.uk is typed in it finds the secure url - https://ww.abc.co.uk/index.php

The question I guess is once I have changed all the links to https:// do the files replace the exsiting ones in the public_html folder or do the files have to then be uploaded to a specific folder on the server, not sure how the heck this works?

BenPleysier

Community Expert

All you need to do is add the following to the .htaccess file.

# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent

# https://www.example.com when your cert only allows https://secure.example.com

# Uncomment the following lines to use this feature.

RewriteCond %{SERVER_PORT} !^443

RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L]

</IfModule>

Edit: Sorry the following code should be added

RewriteCond %{HTTPS} !=on

RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]

RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]

</IfModule>

Make sure that the rewrite engine is turned on as in

# ----------------------------------------------------------------------

# Start rewrite engine

# ----------------------------------------------------------------------

# Turning on the rewrite engine is necessary for the following rules and features.

# FollowSymLinks must be enabled for this to work.

Options +FollowSymlinks

RewriteEngine On

</IfModule>

Wappler is the DMXzone-made Dreamweaver replacement and includes the best of their powerful extensions, as well as much more!

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded