Here's another thought I wonder about encryption technology. Could one day encryption technology replace the need for firewalls - either partially or all together. Forget about those security policies, is my firewall configured right, applying security patches & hardening the OS, etc... If one can just encrypt there entire drive or the data needed to be protected by encryption - Why need a fw if the data is garbled and useless to those who can't decrypt it. Of course fw plays other roles but from a pure "protect my data from the unwanted" to me encryption may solve that. Just a thought!
Joe On Sun, Apr 6, 2008 at 7:12 PM, Joe Leo <[EMAIL PROTECTED]> wrote: > Wow, I really appreciate the feedback and some of the many comments i am > getting to my original question. I ask my original question not so much I > have some secrecy of any kind of application. As I mentioned, I'm not much > of a programmer in practice. I'm just getting interest in the encryption > technology as a whole and since I have not really used any of them I wanted > to get an idea how effective they are. > > Now the feedback with the questions and comments I am getting are good, in > that, they make me think why would I use it and to achieve what purpose. > What I've been hoping to gain from asking my question is then why & when to > use such encryption tool - especially, when hosting your data remotely by a > hosting provider. > > My thought is if encryption techniques like TrueCrypt works - Why not use > it regardless who is your hosting provider. Or, having to consider questions > like who you trying to protect data from. I mean, when you buy a nice bran > new expensive car you have a key to lock the doors and some go further to > put in a car alarm or car tracking device. Who you're trying to prevent from > stealing your car is no brainer question to consider - IMO. One knows that > locking the door and/or having a car alarm is a deterrent - Though not 100% > guaranteed. Maybe my example is not the best but just trying to raise a > point. > > In my question to deploy some encryption on my data would (help) minimize > people stealing private data - Why not use it, especially if there's not > much performance penalty. > > David, regarding you comments below: > > > So are you worried about encryption during uploading or about encryption > > while executing the scripts on the server and serving up content - or both? > > What other security measures did you include? > > > You've hit the right questions I am looking to understand. The answer is > both. From what I understand about a tool like TrueCrypt I can encrypt say > my webfolder (web site) and upload it to my hosting provider. And, what I am > trying to understand is can the encrypted data remain encrypted and still > serve content. Or, once I upload the encrypted data must I need to decrypt > it to serve the content? I am not concern about data being encrypted out to > the users browser. SSL takes care of that - right? So, if it is that I can > encrypt and it remains encrypt while serving content then this is not a bad > solution. And, of course one can take other measures like ssh to the server > to actually keep access to it secure. > > joe > > > > > > > > > > > > On Sun, Apr 6, 2008 at 5:09 PM, David Krings <[EMAIL PROTECTED]> wrote: > > > Joe Leo wrote: > > > > > Well, you could wrap everything into PHP and use one of these PHP > > > obfuscators. > > > > > > Well, I am not much of a php/programmer and don't know how and what it > > > means to "wrap everything into php". > > > > > > > I mean that you need to use PHP to output static page content if you > > want to encode / obfuscate everything. > > > > Still, I wonder why you want to do that? Do you distrust your > > > hosting company that much? In that case I'd look for a different > > > provider. > > > > > > > > > Well, I am just looking into a solutions to encrypt data. The question > > > as to why I would want to do that is not the question - But, thanks for > > > asking. > > > > > > > Well, the reason for me asking is that there may be a better approach > > than taking the big hammer. I speak from experience as I often use(d) the > > big hammer and everything was a nail. > > > > > > What are you trying to protect and who are you protecting it > > > against? > > > > > > I'm looking to protect data/information that could be the software > > > code and/or customer's client info.. Protection should be from anyone who > > > does not need to have access to the website data or the DB... Of course, > > > data will be shown to users (web client) who has been given access to view > > > this data from the application. > > > > > > > So who is your hoster? Every thought about self-hosting or having the > > customer run the server? Any chance that this might work via intranet rather > > than internet, because then you probably want to add SSL to the pages. I do > > not know if that is difficult to do. But keep in mind, anything that is > > accessible via internet is not what I'd consider entirely secure. > > I don't see why you need to protect the software code. PHP is server > > side only and the client doesn't see anything from your PHP code. > > And yes, it is assumed that legitimate users are allowed to see > > information, otherwise the whole setup would be quite pointless. > > > > What I am interested in is to find the most effective and most secure > > > way to upload my website & db to remote host and the data is fully > > > protected > > > by encryption. > > > > > > > As mentioned above, hosting something offsite and have it be available > > through the internet is IMHO not secure. Taking stuff can be made more > > difficult, but most secure....well, I leave that up to the experts, but I > > have my doubts - see Hannaford, TJX, etc. > > > > I will look into the ionCube suggested earlier - Though this seems to > > > be a PHP only base solution. From what I gather, a product like TrueCrypt > > > could be better as I can encrypt an entire volume or folder and it's done > > > - > > > Regardless of type of code or application that exist or being encrypted. > > > > > > > Again, comes down to the hosting service that you have. Do you have that > > much access and rights to the server that you can just go ahead and run > > services that encrypt and decrypt entire folders? > > > > > > > I know many software type companies package there software where > > > either partially or fully the code is encrypted and protected. This is the > > > similar type of solution I guess I am looking for. > > > > > > > Nah, most companies distribute binaries that make it difficult enough > > for people like me to re-engineer the code. But look at the open source > > security applications. Their code is freely available. Security through > > obscurity is one of the worst approaches. > > > > I don't want to rain on your parade, but taking into account that you > > are "not much of a php/programmer" you may want to take a step back and > > think this over if that application is indeed that critical and demands such > > secrecy that code and database have to be encrypted. I play around with PHP > > for about five years now and I don't think that I'd be capable of writing a > > secure application. I'm not saying that you are not capable of that, but I > > have the impression that you think slapping some encryption onto something > > makes it secure. > > I am also wondering a bit about your statement that you want "to find > > the most effective and most secure way to upload my website & db to remote > > host". So are you worried about encryption during uploading or about > > encryption while executing the scripts on the server and serving up content > > - or both? What other security measures did you include? Kaptchas? Multiple > > time-limited passwords? Multiple access levels? Effective session management > > to kick people out of the system after a few minutes of inactivity? Or even > > other means such as biometrics as identification? Your own certificate? > > Also, does it have to be a web client? I'd guess there are way more and > > way better means to encrypt data when working with fat clients. Also, which > > database engine do you plan to use? Does that database engine have means to > > encrypt entire tables or data sets? > > And what do you do for client security? There is not much gained when > > your server is like Fort Knox, but the users can access the application from > > any client on any network and then do so from theit favourite internet cafe, > > leaving the PC unattended while getting another beer. So you want to at > > least restrict the IP address (ranges) that are allowed to get even to the > > login page. > > > > Sorry for asking that many questions, but I think those and many more > > questions need to be asked and sufficiently answered. > > > > David > > > > _______________________________________________ > > New York PHP Community Talk Mailing List > > http://lists.nyphp.org/mailman/listinfo/talk > > > > NYPHPCon 2006 Presentations Online > > http://www.nyphpcon.com > > > > Show Your Participation in New York PHP > > http://www.nyphp.org/show_participation.php > > > >
_______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
