NYCPHP Meetup

[David Krings]

Joe Leo wrote:
>     Well, you could wrap everything into PHP and use one of these PHP
>     obfuscators.
> 
> Well, I am not much of a php/programmer and don't know how and what it 
> means to "wrap everything into php".

I mean that you need to use PHP to output static page content if you want to 
encode / obfuscate everything.

>     Still, I wonder why you want to do that? Do you distrust your
>     hosting company that much? In that case I'd look for a different
>     provider.
> 
> 
> Well, I am just looking into a solutions to encrypt data. The question 
> as to why I would want to do that is not the question - But, thanks for 
> asking.

Well, the reason for me asking is that there may be a better approach than 
taking the big hammer. I speak from experience as I often use(d) the big 
hammer and everything was a nail.


>     What are you trying to protect and who are you protecting it against?
> 
> I'm looking to protect data/information that could be the software code 
> and/or customer's client info.. Protection should be from anyone who 
> does not need to have access to the website data or the DB... Of course, 
> data will be shown to users (web client) who has been given access to 
> view this data from the application.

So who is your hoster? Every thought about self-hosting or having the customer 
run the server? Any chance that this might work via intranet rather than 
internet, because then you probably want to add SSL to the pages. I do not 
know if that is difficult to do. But keep in mind, anything that is accessible 
via internet is not what I'd consider entirely secure.
I don't see why you need to protect the software code. PHP is server side only 
and the client doesn't see anything from your PHP code.
And yes, it is assumed that legitimate users are allowed to see information, 
otherwise the whole setup would be quite pointless.

> What I am interested in is to find the most effective and most secure 
> way to upload my website & db to remote host and the data is fully 
> protected by encryption.

As mentioned above, hosting something offsite and have it be available through 
the internet is IMHO not secure. Taking stuff can be made more difficult, but 
most secure....well, I leave that up to the experts, but I have my doubts - 
see Hannaford, TJX, etc.

> I will look into the ionCube suggested earlier - Though this seems to be 
> a PHP only base solution. From what I gather, a product like TrueCrypt 
> could be better as I can encrypt an entire volume or folder and it's 
> done - Regardless of type of code or application that exist or being 
> encrypted.

Again, comes down to the hosting service that you have. Do you have that much 
access and rights to the server that you can just go ahead and run services 
that encrypt and decrypt entire folders?

> 
> I know many software type companies package there software where either 
> partially or fully the code is encrypted and protected. This is the 
> similar type of solution I guess I am looking for.

Nah, most companies distribute binaries that make it difficult enough for 
people like me to re-engineer the code. But look at the open source security 
applications. Their code is freely available. Security through obscurity is 
one of the worst approaches.

I don't want to rain on your parade, but taking into account that you are "not 
much of a php/programmer" you may want to take a step back and think this over 
if that application is indeed that critical and demands such secrecy that code 
and database have to be encrypted. I play around with PHP for about five years 
now and I don't think that I'd be capable of writing a secure application. I'm 
not saying that you are not capable of that, but I have the impression that 
you think slapping some encryption onto something makes it secure.
I am also wondering a bit about your statement that you want "to find the most 
effective and most secure way to upload my website & db to remote host". So 
are you worried about encryption during uploading or about encryption while 
executing the scripts on the server and serving up content - or both? What 
other security measures did you include? Kaptchas? Multiple time-limited 
passwords? Multiple access levels? Effective session management to kick people 
out of the system after a few minutes of inactivity? Or even other means such 
as biometrics as identification? Your own certificate?
Also, does it have to be a web client? I'd guess there are way more and way 
better means to encrypt data when working with fat clients. Also, which 
database engine do you plan to use? Does that database engine have means to 
encrypt entire tables or data sets?
And what do you do for client security? There is not much gained when your 
server is like Fort Knox, but the users can access the application from any 
client on any network and then do so from theit favourite internet cafe, 
leaving the PC unattended while getting another beer. So you want to at least 
restrict the IP address (ranges) that are allowed to get even to the login page.

Sorry for asking that many questions, but I think those and many more 
questions need to be asked and sufficiently answered.

David