Wow, I really appreciate the feedback and some of the many comments i am getting to my original question. I ask my original question not so much I have some secrecy of any kind of application. As I mentioned, I'm not much of a programmer in practice. I'm just getting interest in the encryption technology as a whole and since I have not really used any of them I wanted to get an idea how effective they are.
Now the feedback with the questions and comments I am getting are good, in that, they make me think why would I use it and to achieve what purpose. What I've been hoping to gain from asking my question is then why & when to use such encryption tool - especially, when hosting your data remotely by a hosting provider. My thought is if encryption techniques like TrueCrypt works - Why not use it regardless who is your hosting provider. Or, having to consider questions like who you trying to protect data from. I mean, when you buy a nice bran new expensive car you have a key to lock the doors and some go further to put in a car alarm or car tracking device. Who you're trying to prevent from stealing your car is no brainer question to consider - IMO. One knows that locking the door and/or having a car alarm is a deterrent - Though not 100% guaranteed. Maybe my example is not the best but just trying to raise a point. In my question to deploy some encryption on my data would (help) minimize people stealing private data - Why not use it, especially if there's not much performance penalty. David, regarding you comments below: > So are you worried about encryption during uploading or about encryption > while executing the scripts on the server and serving up content - or both? > What other security measures did you include? You've hit the right questions I am looking to understand. The answer is both. From what I understand about a tool like TrueCrypt I can encrypt say my webfolder (web site) and upload it to my hosting provider. And, what I am trying to understand is can the encrypted data remain encrypted and still serve content. Or, once I upload the encrypted data must I need to decrypt it to serve the content? I am not concern about data being encrypted out to the users browser. SSL takes care of that - right? So, if it is that I can encrypt and it remains encrypt while serving content then this is not a bad solution. And, of course one can take other measures like ssh to the server to actually keep access to it secure. joe On Sun, Apr 6, 2008 at 5:09 PM, David Krings <[EMAIL PROTECTED]> wrote: > Joe Leo wrote: > > > Well, you could wrap everything into PHP and use one of these PHP > > obfuscators. > > > > Well, I am not much of a php/programmer and don't know how and what it > > means to "wrap everything into php". > > > > I mean that you need to use PHP to output static page content if you want > to encode / obfuscate everything. > > Still, I wonder why you want to do that? Do you distrust your > > hosting company that much? In that case I'd look for a different > > provider. > > > > > > Well, I am just looking into a solutions to encrypt data. The question > > as to why I would want to do that is not the question - But, thanks for > > asking. > > > > Well, the reason for me asking is that there may be a better approach than > taking the big hammer. I speak from experience as I often use(d) the big > hammer and everything was a nail. > > > What are you trying to protect and who are you protecting it against? > > > > I'm looking to protect data/information that could be the software code > > and/or customer's client info.. Protection should be from anyone who does > > not need to have access to the website data or the DB... Of course, data > > will be shown to users (web client) who has been given access to view this > > data from the application. > > > > So who is your hoster? Every thought about self-hosting or having the > customer run the server? Any chance that this might work via intranet rather > than internet, because then you probably want to add SSL to the pages. I do > not know if that is difficult to do. But keep in mind, anything that is > accessible via internet is not what I'd consider entirely secure. > I don't see why you need to protect the software code. PHP is server side > only and the client doesn't see anything from your PHP code. > And yes, it is assumed that legitimate users are allowed to see > information, otherwise the whole setup would be quite pointless. > > What I am interested in is to find the most effective and most secure way > > to upload my website & db to remote host and the data is fully protected by > > encryption. > > > > As mentioned above, hosting something offsite and have it be available > through the internet is IMHO not secure. Taking stuff can be made more > difficult, but most secure....well, I leave that up to the experts, but I > have my doubts - see Hannaford, TJX, etc. > > I will look into the ionCube suggested earlier - Though this seems to be > > a PHP only base solution. From what I gather, a product like TrueCrypt could > > be better as I can encrypt an entire volume or folder and it's done - > > Regardless of type of code or application that exist or being encrypted. > > > > Again, comes down to the hosting service that you have. Do you have that > much access and rights to the server that you can just go ahead and run > services that encrypt and decrypt entire folders? > > > > I know many software type companies package there software where either > > partially or fully the code is encrypted and protected. This is the similar > > type of solution I guess I am looking for. > > > > Nah, most companies distribute binaries that make it difficult enough for > people like me to re-engineer the code. But look at the open source security > applications. Their code is freely available. Security through obscurity is > one of the worst approaches. > > I don't want to rain on your parade, but taking into account that you are > "not much of a php/programmer" you may want to take a step back and think > this over if that application is indeed that critical and demands such > secrecy that code and database have to be encrypted. I play around with PHP > for about five years now and I don't think that I'd be capable of writing a > secure application. I'm not saying that you are not capable of that, but I > have the impression that you think slapping some encryption onto something > makes it secure. > I am also wondering a bit about your statement that you want "to find the > most effective and most secure way to upload my website & db to remote > host". So are you worried about encryption during uploading or about > encryption while executing the scripts on the server and serving up content > - or both? What other security measures did you include? Kaptchas? Multiple > time-limited passwords? Multiple access levels? Effective session management > to kick people out of the system after a few minutes of inactivity? Or even > other means such as biometrics as identification? Your own certificate? > Also, does it have to be a web client? I'd guess there are way more and > way better means to encrypt data when working with fat clients. Also, which > database engine do you plan to use? Does that database engine have means to > encrypt entire tables or data sets? > And what do you do for client security? There is not much gained when your > server is like Fort Knox, but the users can access the application from any > client on any network and then do so from theit favourite internet cafe, > leaving the PC unattended while getting another beer. So you want to at > least restrict the IP address (ranges) that are allowed to get even to the > login page. > > Sorry for asking that many questions, but I think those and many more > questions need to be asked and sufficiently answered. > > David > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php >
_______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
