Joe Leo wrote:
Wow, I really appreciate the feedback and some of the many comments i am
getting to my original question. I ask my original question not so much
I have some secrecy of any kind of application. As I mentioned, I'm not
much of a programmer in practice. I'm just getting interest in the
encryption technology as a whole and since I have not really used any of
them I wanted to get an idea how effective they are.
Ah, so you are not really creating a PHP application, but only want to inquire
about encryption technologies? While that is a valid question to ask, you
seemed to be asking more for an entire protection package, which encyption is
only a small part from. I used to work for a company that makes electronic
locks. A simple battery powered mortise lock starts at 1,000$. I once was
asked by an IT services manager at a university which lock I recommend they
put on the server room. I told him that it doesn't matter as long as the walls
are made from sheet rock and one can just crawl in through the plenum anyway.
The way I see it, the lock is the encryption piece you are looking for, but
you don't ask about the fact that physical access to the server is easy and
that someone even left a cart right next to it.
If you want to learn about encryption technology I'd recommend a walk to the
local library and take a look at what they got. After that a good question to
ask is who on this list made use of encryption technologies. You may also want
to contact the various encryption tool vendors, but be warned that they will
mail you constantly their marketing garbage. I did that once because I wanted
to get a free 512MB USB drive. VeriSign still owes me the drive, but they make
sure that my recycling bin is full.
Now the feedback with the questions and comments I am getting are good,
in that, they make me think why would I use it and to achieve what
purpose. What I've been hoping to gain from asking my question is then
why & when to use such encryption tool - especially, when hosting your
data remotely by a hosting provider.
Ah, ok, but repeating myself here, only looking at encryption when using 3rd
party hosting is really not the right approach in my opinion. You also need to
see that the database and the web server are not necessarily on the same
system. And you look only at file encryption as it seems, you need to look at
data transfer encryption as well, which is a different animal and depends on
what the server and client is. When the client is a browser you likely will
have less choice of what kind of encryption you can use. Also, I mentioned
obfuscation earlier, which is not the same as encryption. And you need to ask
if encryption is really necessary and if you can secure the systems by other
means as effectively.
My thought is if encryption techniques like TrueCrypt works - Why not
use it regardless who is your hosting provider. Or, having to consider
questions like who you trying to protect data from. I mean, when you buy
a nice bran new expensive car you have a key to lock the doors and some
go further to put in a car alarm or car tracking device. Who you're
trying to prevent from stealing your car is no brainer question to
consider - IMO. One knows that locking the door and/or having a car
alarm is a deterrent - Though not 100% guaranteed. Maybe my example is
not the best but just trying to raise a point.
Well, encryption comes at a cost, the performance of the entire system will go
down and that may require that you create parallel system(s) to handle the
load. Things get really complicated then.
Besides that, I always leave my car unlocked. Want to steal my crappy 29.99$
radio? Go right ahead. Gives me a reason to buy a better one. But please don't
smash a window, which is way more expensive to replace. Or take the entire car
and please don't have police find it. I have a cheap car that brings me from A
to B. I just don't see the point in expensive cars who have big engines, are
heavy and use excessive amounts of gas - but I guess that is not the point of
this discussion.
In my question to deploy some encryption on my data would (help)
minimize people stealing private data - Why not use it, especially if
there's not much performance penalty.
Why would encryption help when I can take the entire server and take my time
decrypting the data? Or if I can use some off the shelf equipment from
RadioShack and software off the web to capture and decipher the EMF from the
client's mouse, keyboard and monitor? Tests have shown that one can read input
and output this way from an office across the street.
David, regarding you comments below:
So are you worried about encryption during uploading or about
encryption while executing the scripts on the server and serving up
content - or both? What other security measures did you include?
You've hit the right questions I am looking to understand. The answer is
both. From what I understand about a tool like TrueCrypt I can encrypt
say my webfolder (web site) and upload it to my hosting provider. And,
The way I understand it is that you can encrypt it once it is at your provider
and need to decrypt it once you want to use it. At least that is what I got
from the articles I read in the past, but I haven't read any more technical
info about it. But uploading an encrypted folder requires that the hosting
provider has servers that can decrypt the folder. Again, I don't think that
file encryption is really the thing to look first at.
what I am trying to understand is can the encrypted data remain
encrypted and still serve content. Or, once I upload the encrypted data
must I need to decrypt it to serve the content? I am not concern about
You need to decrypt it at some point, the latest is at the client, unless you
find persons that can decrypt digital data on the fly. I don't think these
persons exist.
data being encrypted out to the users browser. SSL takes care of that -
right? So, if it is that I can encrypt and it remains encrypt while
serving content then this is not a bad solution. And, of course one can
take other measures like ssh to the server to actually keep access to it
secure.
i don't know what SSL takes care of, but I don't think that SSL is what is
used for file encryption. As mentioned before data transfer encryption and
file encryption are two different things.
Say, you aren't writing some paper for the school that is due tomorrow, do you?
David
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
