12 Replies Latest reply on Oct 25, 2013 8:26 AM by Test Screen Name

    Will I need to obtain a separate https certificate?

    supas33k3r Level 1

      Hi,

       

      I have created a PDF form in Acrobat and wish to use the eSignature feature for customers' electronic signatures as my form involves bank details for transactions.

       

      Will I need to obtain a separate https certificate so that customers are taken to a secure payment system OR does Adobe Acrobat's eSignature feature take users to an already secure page/system?

       

      Thanks.

        • 1. Re: Will I need to obtain a separate https certificate?
          George_Johnson MVP & Adobe Community Professional

          Are you asking about EchoSign or something else?

          • 2. Re: Will I need to obtain a separate https certificate?
            Dave Merchant MVP & Adobe Community Professional

            Understand that signing a document and securing it against unauthorized viewing are entirely different things. Just because someone's applied a signature doesn't absolve you from the need to keep the file away from prying eyes, so you wouldn't want people to be emailing copies around the place.

            • 3. Re: Will I need to obtain a separate https certificate?
              supas33k3r Level 1

              Thanks for your replies George and Dave. Yes George, I believe it is the EchoSign - it's just the 'add digital signature' tool from the top toolbar menu.

               

              Dave, yeah that's understood thanks. Being new to this and quite an amateur truth be told, that's why I was wondering whether this system, once the 'add digital ID' signature box has been clicked by the customer, takes them through to a secure page?

               

              I would have thought that with Adobe having the digital signature tool available to be used, there would be some sort of system in place whereby it's secure - or is this not the case and we ourselves need to make sure it's made secure? If so, how?

               

              Apologies for what may be very basic questions to some people, but as I said I'm new to this so I appreciate all the help and advice I can get!

              • 4. Re: Will I need to obtain a separate https certificate?
                Dave Merchant MVP & Adobe Community Professional

                the EchoSign website is secured by SSL, however by default a copy of the completed document will be emailed to all involved (which can be opened by anyone who gets hold of it).

                • 5. Re: Will I need to obtain a separate https certificate?
                  supas33k3r Level 1

                  Thanks Dave. On that basis is it recommended as a safe proof system? On the basis that a customer was to fill out the form and sign their digital ID to it, surely that would mean only us as the owners of the form and the customer signing it would be emailed a copy - as is the case with a lot of online transactions when you get a confirmation email? In which case it wouldn't be dangerous?

                  • 6. Re: Will I need to obtain a separate https certificate?
                    Test Screen Name Most Valuable Participant

                    From your original post it seems that the information you want to send is secret - not to be seen by anyone except the intended recipient. Is this the case or are you happy for every piece of information in the form to be (potentially) public? Consider whether you would be happy to put this information on a postcard and drop it in the regular mail for anyone to read on its way.

                     

                    I think you need to confirm this first for us to give good advice.

                    • 7. Re: Will I need to obtain a separate https certificate?
                      supas33k3r Level 1

                      Thanks for your reply TSN. It's basically a standard bank 'Standing Order' form for customers to fill in all the usual details when you make an online transaction - so this does include sensitive information such as the customer's bank details, our bank details and the customer's signature(s).

                       

                      So yes it does have to be 'secret'/protected because naturally we don't want information such as that leaking into the wrong hands. We only want ourselves and the recipient to be able to know and see their information.

                       

                      Normally when you make an online transaction, you're taken to a secure https:// page with a padlock sign in the address bar signalling the page you're on is secure. Having never set up one of these forms previously, I wanted to be 100% sure than the digital signature ID tool provided in Adobe Acrobat is like that (i.e. secure).

                      • 8. Re: Will I need to obtain a separate https certificate?
                        Dave Merchant MVP & Adobe Community Professional

                        EchoSign's website is entirely run on SSL, so the transaction is protected against snooping as the web pages are sent across the Internet (e.g. via a public WiFi hotspot). However the end result of the online 'signing' process is a PDF file that can be opened by anyone who gets a copy. By default, it's emailed to the signer and the document owner, but the attachment is not encrypted so if either mailbox was accessible to another person, so is the PDF. If your signer checked his or her email on the same public WiFi hotspot, chances are they are not using an encrypted mail client so a snooper would be able to grab a copy of any messages. For sensitive documents you should turn off the email forwarder in EchoSign and make them download  the signed file from the website instead.

                         

                        One important thing to remember about EchoSign - the digitial 'certifying' signature applied to the PDF is NOT that of the person who signs it. It's from Adobe. All they are certifying is that someone opened the link in an email you sent, and they filled in your form. EchoSign makes no claim whatseoever about the identity of the signer other than that they are someone with access to a certain email account. If you asked John Doe to sign a document and his flatmate was borrowing his laptop when the invite arrived, Adobe has no clue. EchoSign will allow "signing" of a form without an actual representation of the person's ink signature; they can simply type into a text box.

                         

                         

                        If you need to prove the signer's identity beyond legal doubt, EchoSign is not the route to take. Think of how your own online banking system checks who you are, and follow the same practices.

                        • 9. Re: Will I need to obtain a separate https certificate?
                          supas33k3r Level 1

                          Is EchoSign the same thing as the digital signature tool you can place in your form in Adobe Acrobat? See my screenshot.

                          digitalsig.jpg

                          Or is this something entirely different we need to implement some other way?

                           

                          This is what comes up when you click the actual signature button - and this is what I'm trying to find out is 100% secure for submitting to us...

                           

                          digitalsig2.jpg

                           

                          I'm just trying to get all the information I need to make a fair judgement call on whether I think going down the Adobe Acrobat form route for our customers is a better option than creating a HTML form or something else.

                          • 10. Re: Will I need to obtain a separate https certificate?
                            Test Screen Name Most Valuable Participant

                            Signatures are nothing like submitting.

                             

                            If you sign from a file, this is entirely self contained, the file does not go to the network. But what you have next is a signed PDF, still on the user's computer.

                            So that would have to be submitted to the web server, and done using https to be secure.

                             

                            Signatures offer something impossible to do with HTML, proof of authenticity. But it requires each user to carefully set up and understand their own signature AND Share something with you for proof of authenticity.

                            • 11. Re: Will I need to obtain a separate https certificate?
                              supas33k3r Level 1

                              Thanks again TSN. So are you saying that even with the digital signature, it would still require us to obtain a secure 'https' URL which the person signing would then submit their filled in PDF form to us through that?

                               

                              Apologies for bombarding you guys with question after question!

                              • 12. Re: Will I need to obtain a separate https certificate?
                                Test Screen Name Most Valuable Participant

                                I'm really not understand what you think signing is, which is why I think our answers aren't hitting the mark for you.

                                 

                                Signing a document doesn't reach out to you, or your server, or send you anything.

                                 

                                So to submit the form, yes you'd need a secure web server, https, and above all software written for you and installed by a web scripting professional on the server. It's the last of these which is the big deal; buying a certificate is a detail. You couldn't use software intended for HTML forms.