NYCPHP Meetup

NYPHP.org

[nycphp-talk] Website Data Encryption tools

Joe Leo joeleo724 at gmail.com
Sun Apr 6 20:14:34 EDT 2008


Here's another thought I wonder about encryption technology. Could one day
encryption technology replace the need for firewalls - either partially or
all together. Forget about those security policies, is my firewall
configured right, applying security patches & hardening the OS, etc... If
one can just encrypt there entire drive or the data needed to be protected
by encryption - Why need a fw if the data is garbled and useless to those
who can't decrypt it. Of course fw plays other roles but from a pure
"protect my data from the unwanted" to me encryption may solve that. Just a
thought!

Joe

On Sun, Apr 6, 2008 at 7:12 PM, Joe Leo <joeleo724 at gmail.com> wrote:

> Wow, I really appreciate the feedback and some of the many comments i am
> getting to my original question. I ask my original question not so much I
> have some secrecy of any kind of application. As I mentioned, I'm not much
> of a programmer in practice. I'm just getting interest in the encryption
> technology as a whole and since I have not really used any of them I wanted
> to get an idea how effective they are.
>
> Now the feedback with the questions and comments I am getting are good, in
> that, they make me think why would I use it and to achieve what purpose.
> What I've been hoping to gain from asking my question is then why & when to
> use such encryption tool - especially, when hosting your data remotely by a
> hosting provider.
>
> My thought is if encryption techniques like TrueCrypt works - Why not use
> it regardless who is your hosting provider. Or, having to consider questions
> like who you trying to protect data from. I mean, when you buy a nice bran
> new expensive car you have a key to lock the doors and some go further to
> put in a car alarm or car tracking device. Who you're trying to prevent from
> stealing your car is no brainer question to consider - IMO. One knows that
> locking the door and/or having a car alarm is a deterrent - Though not 100%
> guaranteed. Maybe my example is not the best but just trying to raise a
> point.
>
> In my question to deploy some encryption on my data would (help) minimize
> people stealing private data - Why not use it, especially if there's not
> much performance penalty.
>
> David, regarding you comments below:
>
> > So are you worried about encryption during uploading or about encryption
> > while executing the scripts on the server and serving up content - or both?
> > What other security measures did you include?
>
>
> You've hit the right questions I am looking to understand. The answer is
> both. From what I understand about a tool like TrueCrypt I can encrypt say
> my webfolder (web site) and upload it to my hosting provider. And, what I am
> trying to understand is can the encrypted data remain encrypted and still
> serve content. Or, once I upload the encrypted data must I need to decrypt
> it to serve the content? I am not concern about data being encrypted out to
> the users browser. SSL takes care of that - right? So, if it is that I can
> encrypt and it remains encrypt while serving content then this is not a bad
> solution. And, of course one can take other measures like ssh to the server
> to actually keep access to it secure.
>
> joe
>
>
>
>
>
>
>
>
>
>
>
> On Sun, Apr 6, 2008 at 5:09 PM, David Krings <ramons at gmx.net> wrote:
>
> > Joe Leo wrote:
> >
> > >    Well, you could wrap everything into PHP and use one of these PHP
> > >    obfuscators.
> > >
> > > Well, I am not much of a php/programmer and don't know how and what it
> > > means to "wrap everything into php".
> > >
> >
> > I mean that you need to use PHP to output static page content if you
> > want to encode / obfuscate everything.
> >
> >     Still, I wonder why you want to do that? Do you distrust your
> > >    hosting company that much? In that case I'd look for a different
> > >    provider.
> > >
> > >
> > > Well, I am just looking into a solutions to encrypt data. The question
> > > as to why I would want to do that is not the question - But, thanks for
> > > asking.
> > >
> >
> > Well, the reason for me asking is that there may be a better approach
> > than taking the big hammer. I speak from experience as I often use(d) the
> > big hammer and everything was a nail.
> >
> >
> >     What are you trying to protect and who are you protecting it
> > > against?
> > >
> > > I'm looking to protect data/information that could be the software
> > > code and/or customer's client info.. Protection should be from anyone who
> > > does not need to have access to the website data or the DB... Of course,
> > > data will be shown to users (web client) who has been given access to view
> > > this data from the application.
> > >
> >
> > So who is your hoster? Every thought about self-hosting or having the
> > customer run the server? Any chance that this might work via intranet rather
> > than internet, because then you probably want to add SSL to the pages. I do
> > not know if that is difficult to do. But keep in mind, anything that is
> > accessible via internet is not what I'd consider entirely secure.
> > I don't see why you need to protect the software code. PHP is server
> > side only and the client doesn't see anything from your PHP code.
> > And yes, it is assumed that legitimate users are allowed to see
> > information, otherwise the whole setup would be quite pointless.
> >
> >  What I am interested in is to find the most effective and most secure
> > > way to upload my website & db to remote host and the data is fully protected
> > > by encryption.
> > >
> >
> > As mentioned above, hosting something offsite and have it be available
> > through the internet is IMHO not secure. Taking stuff can be made more
> > difficult, but most secure....well, I leave that up to the experts, but I
> > have my doubts - see Hannaford, TJX, etc.
> >
> >  I will look into the ionCube suggested earlier - Though this seems to
> > > be a PHP only base solution. From what I gather, a product like TrueCrypt
> > > could be better as I can encrypt an entire volume or folder and it's done -
> > > Regardless of type of code or application that exist or being encrypted.
> > >
> >
> > Again, comes down to the hosting service that you have. Do you have that
> > much access and rights to the server that you can just go ahead and run
> > services that encrypt and decrypt entire folders?
> >
> >
> > > I know many software type companies package there software where
> > > either partially or fully the code is encrypted and protected. This is the
> > > similar type of solution I guess I am looking for.
> > >
> >
> > Nah, most companies distribute binaries that make it difficult enough
> > for people like me to re-engineer the code. But look at the open source
> > security applications. Their code is freely available. Security through
> > obscurity is one of the worst approaches.
> >
> > I don't want to rain on your parade, but taking into account that you
> > are "not much of a php/programmer" you may want to take a step back and
> > think this over if that application is indeed that critical and demands such
> > secrecy that code and database have to be encrypted. I play around with PHP
> > for about five years now and I don't think that I'd be capable of writing a
> > secure application. I'm not saying that you are not capable of that, but I
> > have the impression that you think slapping some encryption onto something
> > makes it secure.
> > I am also wondering a bit about your statement that you want "to find
> > the most effective and most secure way to upload my website & db to remote
> > host". So are you worried about encryption during uploading or about
> > encryption while executing the scripts on the server and serving up content
> > - or both? What other security measures did you include? Kaptchas? Multiple
> > time-limited passwords? Multiple access levels? Effective session management
> > to kick people out of the system after a few minutes of inactivity? Or even
> > other means such as biometrics as identification? Your own certificate?
> > Also, does it have to be a web client? I'd guess there are way more and
> > way better means to encrypt data when working with fat clients. Also, which
> > database engine do you plan to use? Does that database engine have means to
> > encrypt entire tables or data sets?
> > And what do you do for client security? There is not much gained when
> > your server is like Fort Knox, but the users can access the application from
> > any client on any network and then do so from theit favourite internet cafe,
> > leaving the PC unattended while getting another beer. So you want to at
> > least restrict the IP address (ranges) that are allowed to get even to the
> > login page.
> >
> > Sorry for asking that many questions, but I think those and many more
> > questions need to be asked and sufficiently answered.
> >
> > David
> >
> > _______________________________________________
> > New York PHP Community Talk Mailing List
> > http://lists.nyphp.org/mailman/listinfo/talk
> >
> > NYPHPCon 2006 Presentations Online
> > http://www.nyphpcon.com
> >
> > Show Your Participation in New York PHP
> > http://www.nyphp.org/show_participation.php
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20080406/f45cfe77/attachment.html>


More information about the talk mailing list