NYCPHP Meetup

[Joe Leo]

Wow, I really appreciate the feedback and some of the many comments i am
getting to my original question. I ask my original question not so much I
have some secrecy of any kind of application. As I mentioned, I'm not much
of a programmer in practice. I'm just getting interest in the encryption
technology as a whole and since I have not really used any of them I wanted
to get an idea how effective they are.

Now the feedback with the questions and comments I am getting are good, in
that, they make me think why would I use it and to achieve what purpose.
What I've been hoping to gain from asking my question is then why & when to
use such encryption tool - especially, when hosting your data remotely by a
hosting provider.

My thought is if encryption techniques like TrueCrypt works - Why not use it
regardless who is your hosting provider. Or, having to consider questions
like who you trying to protect data from. I mean, when you buy a nice bran
new expensive car you have a key to lock the doors and some go further to
put in a car alarm or car tracking device. Who you're trying to prevent from
stealing your car is no brainer question to consider - IMO. One knows that
locking the door and/or having a car alarm is a deterrent - Though not 100%
guaranteed. Maybe my example is not the best but just trying to raise a
point.

In my question to deploy some encryption on my data would (help) minimize
people stealing private data - Why not use it, especially if there's not
much performance penalty.

David, regarding you comments below:

> So are you worried about encryption during uploading or about encryption
> while executing the scripts on the server and serving up content - or both?
> What other security measures did you include?


You've hit the right questions I am looking to understand. The answer is
both. From what I understand about a tool like TrueCrypt I can encrypt say
my webfolder (web site) and upload it to my hosting provider. And, what I am
trying to understand is can the encrypted data remain encrypted and still
serve content. Or, once I upload the encrypted data must I need to decrypt
it to serve the content? I am not concern about data being encrypted out to
the users browser. SSL takes care of that - right? So, if it is that I can
encrypt and it remains encrypt while serving content then this is not a bad
solution. And, of course one can take other measures like ssh to the server
to actually keep access to it secure.

joe











On Sun, Apr 6, 2008 at 5:09 PM, David Krings <ramons at gmx.net> wrote:

> Joe Leo wrote:
>
> >    Well, you could wrap everything into PHP and use one of these PHP
> >    obfuscators.
> >
> > Well, I am not much of a php/programmer and don't know how and what it
> > means to "wrap everything into php".
> >
>
> I mean that you need to use PHP to output static page content if you want
> to encode / obfuscate everything.
>
>     Still, I wonder why you want to do that? Do you distrust your
> >    hosting company that much? In that case I'd look for a different
> >    provider.
> >
> >
> > Well, I am just looking into a solutions to encrypt data. The question
> > as to why I would want to do that is not the question - But, thanks for
> > asking.
> >
>
> Well, the reason for me asking is that there may be a better approach than
> taking the big hammer. I speak from experience as I often use(d) the big
> hammer and everything was a nail.
>
>
>     What are you trying to protect and who are you protecting it against?
> >
> > I'm looking to protect data/information that could be the software code
> > and/or customer's client info.. Protection should be from anyone who does
> > not need to have access to the website data or the DB... Of course, data
> > will be shown to users (web client) who has been given access to view this
> > data from the application.
> >
>
> So who is your hoster? Every thought about self-hosting or having the
> customer run the server? Any chance that this might work via intranet rather
> than internet, because then you probably want to add SSL to the pages. I do
> not know if that is difficult to do. But keep in mind, anything that is
> accessible via internet is not what I'd consider entirely secure.
> I don't see why you need to protect the software code. PHP is server side
> only and the client doesn't see anything from your PHP code.
> And yes, it is assumed that legitimate users are allowed to see
> information, otherwise the whole setup would be quite pointless.
>
>  What I am interested in is to find the most effective and most secure way
> > to upload my website & db to remote host and the data is fully protected by
> > encryption.
> >
>
> As mentioned above, hosting something offsite and have it be available
> through the internet is IMHO not secure. Taking stuff can be made more
> difficult, but most secure....well, I leave that up to the experts, but I
> have my doubts - see Hannaford, TJX, etc.
>
>  I will look into the ionCube suggested earlier - Though this seems to be
> > a PHP only base solution. From what I gather, a product like TrueCrypt could
> > be better as I can encrypt an entire volume or folder and it's done -
> > Regardless of type of code or application that exist or being encrypted.
> >
>
> Again, comes down to the hosting service that you have. Do you have that
> much access and rights to the server that you can just go ahead and run
> services that encrypt and decrypt entire folders?
>
>
> > I know many software type companies package there software where either
> > partially or fully the code is encrypted and protected. This is the similar
> > type of solution I guess I am looking for.
> >
>
> Nah, most companies distribute binaries that make it difficult enough for
> people like me to re-engineer the code. But look at the open source security
> applications. Their code is freely available. Security through obscurity is
> one of the worst approaches.
>
> I don't want to rain on your parade, but taking into account that you are
> "not much of a php/programmer" you may want to take a step back and think
> this over if that application is indeed that critical and demands such
> secrecy that code and database have to be encrypted. I play around with PHP
> for about five years now and I don't think that I'd be capable of writing a
> secure application. I'm not saying that you are not capable of that, but I
> have the impression that you think slapping some encryption onto something
> makes it secure.
> I am also wondering a bit about your statement that you want "to find the
> most effective and most secure way to upload my website & db to remote
> host". So are you worried about encryption during uploading or about
> encryption while executing the scripts on the server and serving up content
> - or both? What other security measures did you include? Kaptchas? Multiple
> time-limited passwords? Multiple access levels? Effective session management
> to kick people out of the system after a few minutes of inactivity? Or even
> other means such as biometrics as identification? Your own certificate?
> Also, does it have to be a web client? I'd guess there are way more and
> way better means to encrypt data when working with fat clients. Also, which
> database engine do you plan to use? Does that database engine have means to
> encrypt entire tables or data sets?
> And what do you do for client security? There is not much gained when your
> server is like Fort Knox, but the users can access the application from any
> client on any network and then do so from theit favourite internet cafe,
> leaving the PC unattended while getting another beer. So you want to at
> least restrict the IP address (ranges) that are allowed to get even to the
> login page.
>
> Sorry for asking that many questions, but I think those and many more
> questions need to be asked and sufficiently answered.
>
> David
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20080406/2a50e4e3/attachment.html>