NYCPHP Meetup

[Rolan Yang]

Joe Leo wrote:
>
>
>     Still, I wonder why you want to do that? Do you distrust your
>     hosting company that much? In that case I'd look for a different
>     provider.
>
>
> Well, I am just looking into a solutions to encrypt data. The question 
> as to why I would want to do that is not the question - But, thanks 
> for asking.
>
>     What are you trying to protect and who are you protecting it against?
>
>
> I'm looking to protect data/information that could be the software 
> code and/or customer's client info.. Protection should be from anyone 
> who does not need to have access to the website data or the DB... Of 
> course, data will be shown to users (web client) who has been given 
> access to view this data from the application.
>
> What I am interested in is to find the most effective and most secure 
> way to upload my website & db to remote host and the data is fully 
> protected by encryption.
>
> I will look into the ionCube suggested earlier - Though this seems to 
> be a PHP only base solution. From what I gather, a product like 
> TrueCrypt could be better as I can encrypt an entire volume or folder 
> and it's done - Regardless of type of code or application that exist 
> or being encrypted.
>


I think there's a little bit of shortsightedness going on here. If any 
reasonable security is to be expected, the entire system from start to 
finish must be evaluated. How much security do you expect? Who and what 
do you trust to be secure? Is your development PC secure? Could it be 
loaded with spyware that is sending your keystrokes off to the bad guys? 
Do you trust the guy/girl standing behind you looking over your 
shoulder? Do you trust the web host that manages your website's server? 
How about the server monkey managing the nightly backups? Or the hacker 
on your shared web host running the sniffer? Or the 13 year old from 
Hungary secretly running irc proxies on your dedicated host? Or the 
NSA's tap at AT&T's networks?  Could your client/customer's PC be 
infected with spyware? Could their neighbor be running a 
man-in-the-middle attack on the wireless network?  How about the guy 
physically standing behind him, or perhaps the nosy wife digging through 
her husbands Gmail account? My point here is that there are so many 
points at which the security of data could be compromised. Dan's 
question is extremely relevant and should be examined thoroughly if the 
true objective is to implement data security.

Unfortunately, for most people (including our government), the 
perception of security takes priority over actual security. Slapping an 
official looking "seal of security" gif on to the bottom of the web 
order form and maybe prepending "https" to the URL (regardless of what's 
running under the hood!) is often sufficient for the general population.

~Rolan