Joe Leo wrote:
Well, you could wrap everything into PHP and use one of these PHP
obfuscators.
Well, I am not much of a php/programmer and don't know how and what it
means to "wrap everything into php".
I mean that you need to use PHP to output static page content if you want to
encode / obfuscate everything.
Still, I wonder why you want to do that? Do you distrust your
hosting company that much? In that case I'd look for a different
provider.
Well, I am just looking into a solutions to encrypt data. The question
as to why I would want to do that is not the question - But, thanks for
asking.
Well, the reason for me asking is that there may be a better approach than
taking the big hammer. I speak from experience as I often use(d) the big
hammer and everything was a nail.
What are you trying to protect and who are you protecting it against?
I'm looking to protect data/information that could be the software code
and/or customer's client info.. Protection should be from anyone who
does not need to have access to the website data or the DB... Of course,
data will be shown to users (web client) who has been given access to
view this data from the application.
So who is your hoster? Every thought about self-hosting or having the customer
run the server? Any chance that this might work via intranet rather than
internet, because then you probably want to add SSL to the pages. I do not
know if that is difficult to do. But keep in mind, anything that is accessible
via internet is not what I'd consider entirely secure.
I don't see why you need to protect the software code. PHP is server side only
and the client doesn't see anything from your PHP code.
And yes, it is assumed that legitimate users are allowed to see information,
otherwise the whole setup would be quite pointless.
What I am interested in is to find the most effective and most secure
way to upload my website & db to remote host and the data is fully
protected by encryption.
As mentioned above, hosting something offsite and have it be available through
the internet is IMHO not secure. Taking stuff can be made more difficult, but
most secure....well, I leave that up to the experts, but I have my doubts -
see Hannaford, TJX, etc.
I will look into the ionCube suggested earlier - Though this seems to be
a PHP only base solution. From what I gather, a product like TrueCrypt
could be better as I can encrypt an entire volume or folder and it's
done - Regardless of type of code or application that exist or being
encrypted.
Again, comes down to the hosting service that you have. Do you have that much
access and rights to the server that you can just go ahead and run services
that encrypt and decrypt entire folders?
I know many software type companies package there software where either
partially or fully the code is encrypted and protected. This is the
similar type of solution I guess I am looking for.
Nah, most companies distribute binaries that make it difficult enough for
people like me to re-engineer the code. But look at the open source security
applications. Their code is freely available. Security through obscurity is
one of the worst approaches.
I don't want to rain on your parade, but taking into account that you are "not
much of a php/programmer" you may want to take a step back and think this over
if that application is indeed that critical and demands such secrecy that code
and database have to be encrypted. I play around with PHP for about five years
now and I don't think that I'd be capable of writing a secure application. I'm
not saying that you are not capable of that, but I have the impression that
you think slapping some encryption onto something makes it secure.
I am also wondering a bit about your statement that you want "to find the most
effective and most secure way to upload my website & db to remote host". So
are you worried about encryption during uploading or about encryption while
executing the scripts on the server and serving up content - or both? What
other security measures did you include? Kaptchas? Multiple time-limited
passwords? Multiple access levels? Effective session management to kick people
out of the system after a few minutes of inactivity? Or even other means such
as biometrics as identification? Your own certificate?
Also, does it have to be a web client? I'd guess there are way more and way
better means to encrypt data when working with fat clients. Also, which
database engine do you plan to use? Does that database engine have means to
encrypt entire tables or data sets?
And what do you do for client security? There is not much gained when your
server is like Fort Knox, but the users can access the application from any
client on any network and then do so from theit favourite internet cafe,
leaving the PC unattended while getting another beer. So you want to at least
restrict the IP address (ranges) that are allowed to get even to the login page.
Sorry for asking that many questions, but I think those and many more
questions need to be asked and sufficiently answered.
David
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
