"Real" Secure Webcommunicaton - Technology Request

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

jakobdoppler
Forum Commoner
Posts: 46
Joined: Wed May 21, 2003 6:16 pm

"Real" Secure Webcommunicaton - Technology Request

Post by jakobdoppler »

Hi

I have a question concerning web technologies. As I am working with a LAMP (Linux, Apache,MySql, PHP) Webserver, I am confronted with a new project, that demands a real secure web area for file exchange and forms data transmission.

If I am really in demand of a good and secure web basesd communication system, which development environment would I choose ? If I take all necessary security preparations into consideration can I still rely on PHP/mySql or should I use somewhat JSP/Servlet like (which a lot of e-banking accounts are in favour of)? PHP would offer some good development by Pear Modules, whereas JSP offers a Struts Framework which makes use of the MVC(3-tier Model View Controll) Model.

Does anyone have experience in sensitive data exchange on the web ? What technology do I use? What do I need besides SSL, and constant maintenance of the webserver,its components and its software ? Any recommandations or ressources on this topic ?


Thx a lot, Jakob

And of course I know there cannot be total security... ;-)
contact_bogomil
Forum Newbie
Posts: 22
Joined: Mon May 27, 2002 8:13 am
Location: Sofia, Bulgaria
Contact:

Post by contact_bogomil »

Well all depends of your client data, but if you want to build all system from the beginning, I recommend you to use
PHP,Oracle and Java, and XML form communications between.
jakobdoppler
Forum Commoner
Posts: 46
Joined: Wed May 21, 2003 6:16 pm

Post by jakobdoppler »

mhhh by what means do you recommend java and/or php

oracle+ some data directory would be for data storage
php is presentation layer ?
and java? would you use java also for web (servlet , jsp) or just for background programming ?

thx _yak
contact_bogomil
Forum Newbie
Posts: 22
Joined: Mon May 27, 2002 8:13 am
Location: Sofia, Bulgaria
Contact:

re

Post by contact_bogomil »

me:
Orracle for database (this depends from users count and from many factors)
PHP- Java communication - if you have different servers (more than 1)


you:
-----------
oracle+ some data directory would be for data storage
php is presentation layer ?
and java? would you use java also for web (servlet , jsp) or just for background programming ?
---------------
jakobdoppler
Forum Commoner
Posts: 46
Joined: Wed May 21, 2003 6:16 pm

additional

Post by jakobdoppler »

Sorry - regarding client data - first draft could cover

Client has access to some files (pdf, xls, whatever)
Client can insert data via html web forms

Does anyone know a good example for a "high secure" site, which covers these issues.

Regards, _yak
contact_bogomil
Forum Newbie
Posts: 22
Joined: Mon May 27, 2002 8:13 am
Location: Sofia, Bulgaria
Contact:

Post by contact_bogomil »

is thats all ;)) only documents? ;)))
you need PHP and MySQL only with some admnistaration rights to serve and your application will work great.

All the best
Bogomil
jakobdoppler
Forum Commoner
Posts: 46
Joined: Wed May 21, 2003 6:16 pm

Post by jakobdoppler »

Ok that means : no special security effort needed and I can rely on PHP/mySQL, if the server is secure (SSL, good security settings of mySQl,PHP,Apache ) ?

tia _yak
contact_bogomil
Forum Newbie
Posts: 22
Joined: Mon May 27, 2002 8:13 am
Location: Sofia, Bulgaria
Contact:

re

Post by contact_bogomil »

Yes you don't need high security for think like that.
SSL PHP, Mysql

If you can export your files out from the web root and process them throught PHP to user, using server sesiions.(this eorkd fine with about 5000 users).

All the Best
Bogomil
ldomingues
Forum Commoner
Posts: 41
Joined: Fri Aug 06, 2004 1:15 pm
Location: Portugal

Post by ldomingues »

You can add more security to a LAMP environment.

If you use PHP + MySQL + Apache:
- encrypt passwords in MySQL database using hash functions (md5)
- use HTTPS to connect to Apache
- use a firewall (APF for example)
- tighten system security (Bastille)
- use a client certificate for logging in (don't have to be a commercial certificate) - that will improve security if passwords are compromised.
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

For the ultimate password security try:

Code: Select all

md5(str_rot13(sha1($string)));
As far as I know, no bruteforcers or dictionary attackers can decrypt that...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

that can be bruteforced.. it'll just take a while ;)
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

Ohh thats interesting. However when you say a while, I guess that's about 10years hehe!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

it's highly dependant on the megaflops of the computer(s).. but yes.. generally a long time.
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

Yes I thought so. :D Thats why its best to use long passwords consisting of characters and numbers.
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

If they know how you encryped it, it'll take just as long to brute force that, as it would to bruteforce a plain text password..
Post Reply