Secure Forms vs. (default) "Insecure" Forms

  • Profile Image
    rwaldenjr
    Asked on October 11, 2017 at 06:57 PM

    I'm curious about the difference between default forms and secure forms, such as those created with the "secure" checkbox enabled (as with the Prepopulate app - prepopulate.jotform.io). When the checkbox is checked, only two things seem to happen:  1. the word "form" is exchanged for "secure" in the form's address; and 2. the "Shortened URL" changes links. But, both URLs use "https:", which is an SSL-enabled web link by definition!?!

    In reading some of the message strings in the Forum (e.g., "What is the main difference in a Secured Form?"), it seems that "secure" status means the form uses an SSL certificate. But, so does "https:". Then, there's the "encryption" option, as described in the "Encrypted Forms" instructions (accessed by "Settings|Form Settings|Show More Options|Encrypt Form Data|Yes"). I'm confused by all these different "secure" options!

    What's the difference between these three secure form types:

    a.  the default " https://form.jotform.com/* ";

    b.  the " https://secure.jotform.com/* " form; and,

    c.  clicking "Yes" to enable encrypted forms in settings?


    Thanks!

  • Profile Image
    ashwin_d
    Answered on October 12, 2017 at 12:18 AM

    Please note that when you use SSL i.e. https in the URL, the form data which is sent from form to our server after the submit button is clicked is transmitted securely & encrypted. That is the primary job of SSL / https.


    https://form.jotform.com/* & https://secure.jotform.com/* both are secure and uses SSL. It's two different sub-domain and both of them uses https / SSL. 


    c.  clicking "Yes" to enable encrypted forms in settings?

    Please note that if you encrypt your form's submission data, the input data of form is encrypted and then saved in our server. It can only be displayed if you provide the correct key file to decrypt the data. I would suggest you to please take a look at the following guide which should help you:  https://www.jotform.com/help/344-Encrypted-Forms-and-How-to-Use-Them

    Hope this helps.

    Do get back to us if you have any questions.

  • Profile Image
    rwaldenjr
    Answered on October 12, 2017 at 02:31 AM

    Ashwin -

    Unfortunately, I don't think I have any better understanding after your explanation of the difference between the three types of JotForm encryption, other than the one that uses the encryption app apparently requires a key to access the form. I'm still unclear of the difference between the other two, even though they're on separate sub-domains on your server. And, what would be an application where you'd need a secure key if the other links are secure as well?

  • Profile Image
    ashwin_d
    Answered on October 12, 2017 at 05:42 AM

    Please accept my apology if I was not able to explain you the difference. Let me try again to explain once again. 

    SSL:  SSL / Secure Sockets Layer is the standard security technology for establishing an encrypted link between a web server and a browser. This ensures that all data passed between the web server and form / browsers remain private and integral. When the data is passed from form to our server, the data is encrypted while it is being transmitted but when the data is received and saved, it is not encrypted. As a user you will not see any difference and its just a security feature to safe guard your data. As a user / developer or server administrator, you do not have to do anything apart from configuring SSL certification in webserver.


    https://form.jotform.com/* & https://secure.jotform.com/* its different sub-domain but both uses secure URL and does exactly the same job. 

    Encrypted form: The data is encrypted at client side / form and then sent to server. The data is saved on our server in the encrypted format. 

    Both are different feature and there is nothing to compare.

    Do get back to us if you still have any question.

  • Profile Image
    rwaldenjr
    Answered on October 12, 2017 at 11:34 AM

    Okay, thanks Ashwin! I think I have a better understanding of the first two. Might I ask why the two sub-domains for the default SSL forms if they do the exact same thing? Seems confusing! I'd still like to know of a possible scenario where an administrator would like to have the data secured by key on your servers? And, are there legal requirements for encryption of data that contains financial or HIPAA information, or other legally-mandated server-side data storage?

  • Profile Image
    Nik_C
    Answered on October 12, 2017 at 12:56 PM

    Not sure about the subdomain secure.jotform.com, but what is important for SSL security is the prefix https. It is nicely explained here: https://www.digicert.com/ssl/

    Regarding the HIPPA please refer to this thread: https://www.jotform.com/answers/333046-Is-JotForm-HIPAA-Compliant

    Also, we have, as my colleague mentioned Encrypted forms and there a key is used to unlock the data, more about that feature you can read here: https://www.jotform.com/help/344-Encrypted-Forms-and-How-to-Use-Them

    If you have any further questions please let us know.

    Thank you!