Page 1 of 2

"Real" Secure Webcommunicaton - Technology Request

Posted: Fri Jul 16, 2004 3:44 am
by jakobdoppler
Hi

I have a question concerning web technologies. As I am working with a LAMP (Linux, Apache,MySql, PHP) Webserver, I am confronted with a new project, that demands a real secure web area for file exchange and forms data transmission.

If I am really in demand of a good and secure web basesd communication system, which development environment would I choose ? If I take all necessary security preparations into consideration can I still rely on PHP/mySql or should I use somewhat JSP/Servlet like (which a lot of e-banking accounts are in favour of)? PHP would offer some good development by Pear Modules, whereas JSP offers a Struts Framework which makes use of the MVC(3-tier Model View Controll) Model.

Does anyone have experience in sensitive data exchange on the web ? What technology do I use? What do I need besides SSL, and constant maintenance of the webserver,its components and its software ? Any recommandations or ressources on this topic ?


Thx a lot, Jakob

And of course I know there cannot be total security... ;-)

Posted: Mon Jul 19, 2004 10:17 am
by contact_bogomil
Well all depends of your client data, but if you want to build all system from the beginning, I recommend you to use
PHP,Oracle and Java, and XML form communications between.

Posted: Tue Jul 20, 2004 4:08 am
by jakobdoppler
mhhh by what means do you recommend java and/or php

oracle+ some data directory would be for data storage
php is presentation layer ?
and java? would you use java also for web (servlet , jsp) or just for background programming ?

thx _yak

re

Posted: Tue Jul 20, 2004 4:11 am
by contact_bogomil
me:
Orracle for database (this depends from users count and from many factors)
PHP- Java communication - if you have different servers (more than 1)


you:
-----------
oracle+ some data directory would be for data storage
php is presentation layer ?
and java? would you use java also for web (servlet , jsp) or just for background programming ?
---------------

additional

Posted: Tue Jul 20, 2004 4:12 am
by jakobdoppler
Sorry - regarding client data - first draft could cover

Client has access to some files (pdf, xls, whatever)
Client can insert data via html web forms

Does anyone know a good example for a "high secure" site, which covers these issues.

Regards, _yak

Posted: Tue Jul 20, 2004 4:15 am
by contact_bogomil
is thats all ;)) only documents? ;)))
you need PHP and MySQL only with some admnistaration rights to serve and your application will work great.

All the best
Bogomil

Posted: Tue Jul 20, 2004 4:41 am
by jakobdoppler
Ok that means : no special security effort needed and I can rely on PHP/mySQL, if the server is secure (SSL, good security settings of mySQl,PHP,Apache ) ?

tia _yak

re

Posted: Tue Jul 20, 2004 4:44 am
by contact_bogomil
Yes you don't need high security for think like that.
SSL PHP, Mysql

If you can export your files out from the web root and process them throught PHP to user, using server sesiions.(this eorkd fine with about 5000 users).

All the Best
Bogomil

Posted: Fri Aug 06, 2004 1:31 pm
by ldomingues
You can add more security to a LAMP environment.

If you use PHP + MySQL + Apache:
- encrypt passwords in MySQL database using hash functions (md5)
- use HTTPS to connect to Apache
- use a firewall (APF for example)
- tighten system security (Bastille)
- use a client certificate for logging in (don't have to be a commercial certificate) - that will improve security if passwords are compromised.

Posted: Fri Aug 06, 2004 1:33 pm
by Joe
For the ultimate password security try:

Code: Select all

md5(str_rot13(sha1($string)));
As far as I know, no bruteforcers or dictionary attackers can decrypt that...

Posted: Fri Aug 06, 2004 1:42 pm
by feyd
that can be bruteforced.. it'll just take a while ;)

Posted: Fri Aug 06, 2004 1:48 pm
by Joe
Ohh thats interesting. However when you say a while, I guess that's about 10years hehe!

Posted: Fri Aug 06, 2004 1:49 pm
by feyd
it's highly dependant on the megaflops of the computer(s).. but yes.. generally a long time.

Posted: Fri Aug 06, 2004 1:51 pm
by Joe
Yes I thought so. :D Thats why its best to use long passwords consisting of characters and numbers.

Posted: Fri Aug 06, 2004 2:07 pm
by d3ad1ysp0rk
If they know how you encryped it, it'll take just as long to brute force that, as it would to bruteforce a plain text password..