PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Fri Sep 20, 2019 10:44 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Wed Nov 07, 2012 9:32 am 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
Some hosts offer free shared SSL certs. But often to use them you have to route users through their shared SSL domain (like secure.hostname.com/~useraccount/index.html). This makes using SSL somewhat undesirable for the full session if it isn't necessary to encrypt everything.

Is there a recommended way to move in and out of SSL sessions securely?

I was thinking of:
1. Page A: (non-ssl) Create token and put in db with time stamp
2. Page A: (non-ssl) Pass hash+salt of token to ssl Page B
3. Page B: (ssl) Compare passed hash+salt with db token (hash+salt) and check time stamp for expiration (very short life span)
4. Page B: (ssl) Process sensitive user input.
5. Page B: (ssl) When done update db with new token/time stamp and pass hash+salt back to non-ssl Page C
6. Page C: (non-ssl) Compare db to passed token and time stamp and continue if valid

Other than going to all SSL pages, is there a better approach? (FYI the salt is there mostly because the first token to Page A is retrieved externally over an SSL connection, but I know nothing about how it is being generated or how safe/random it is).

This idea would be vulnerable to session hijack between A and B, or B and C. However I think the ultimate goal of keeping the data entered in Page B secure would still be achieved because in this application there is no way for users to retrieve/view the input data at any point in the process.

Thanks in advance


Top
 Profile  
 
PostPosted: Wed Nov 07, 2012 9:36 am 
Offline
Site Administrator
User avatar

Joined: Sun May 19, 2002 10:24 pm
Posts: 6887
Shared hosting is not secure by it's very nature though and would never pass PCI compliance.

_________________
Image


Top
 Profile  
 
PostPosted: Fri Nov 09, 2012 8:52 am 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
Never? I've seen other people counter that statement on other sites indicating that they have received PCI compliance on shared hosts.


Top
 Profile  
 
PostPosted: Fri Nov 09, 2012 10:49 am 
Offline
Site Administrator
User avatar

Joined: Sun May 19, 2002 10:24 pm
Posts: 6887
There are questionnaires you can fill out to confirm you are compliant. You can answer those as you wish in order to get the desired outcome.

If the processing is handled by a third party it would be ok, but even if the card numbers on a shared hosting server only ever existed in ram and were never saved to disk it's still dangerous because an attacker could write code to save those numbers for you.

_________________
Image


Top
 Profile  
 
PostPosted: Fri Nov 09, 2012 1:47 pm 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
There are shared hosts that are setup to specifically be PCI compliant with scans conducted by a PCI Compliant Approved Scanning Vendor (ASV) . For example https://www.pcicomplianthosting.com/cpa ... osting.php I don't think they are hiding anything in order to pass.


Top
 Profile  
 
PostPosted: Fri Nov 09, 2012 8:16 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13592
Location: New York, NY, US

_________________
(#10850)


Top
 Profile  
 
PostPosted: Fri Nov 09, 2012 10:41 pm 
Offline
Site Administrator
User avatar

Joined: Sun May 19, 2002 10:24 pm
Posts: 6887

_________________
Image


Top
 Profile  
 
PostPosted: Sat Nov 10, 2012 9:12 am 
Offline
DevNet Resident

Joined: Sun Jun 14, 2009 3:13 pm
Posts: 1146
@christopher Actually I'm checking/regenerating the session ID's too, but I'm also using the token because it is used in another location on an ssl/secure dedicated server. I guess this isn't done very often because I haven't found any recommended methods. So I'm wondering if I'm missing something (other than PCI compliance ;-).

@Benjamin good point. Shared hosting has its weaknesses. I guess for small merchants PCI compliance is more relaxed if no numbers are saved. From what I understand it is an acceptable scenario for compliance. For sites with very few transactions, the owners can't justify the 5x higher costs of dedicated servers. Certainly many cheap shared hosts are not caged, or configured poorly and they would be a much higher risk too than a medium priced host that advertises their focus is on security with caged systems, regular audits and updates.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group