OpenSSL or is there something else?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mattkenefick
Forum Newbie
Posts: 12
Joined: Tue May 29, 2007 1:01 pm

OpenSSL or is there something else?

Post by mattkenefick »

I need to securely post and transfer data on my site.


An external script from Domain1.com posts data to my site, Domain2.com. I need to securely echo out "blah=mySecretString"
When I look at it all with a network analyzer like Ethereal, i can see the blah=mySecretString in plain text. Is there anyway to make it encrypted over the network, but still display as plain text?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Is there a reason it needs to continue to be plain text?

Typically you can add an authenticity hash using an HMAC-styled (or even padded/salted) variant. This can allow you keep the data plain text, too.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Plaintext is almost the exact opposite of secret. A good symetric encryption with a shared (between the two scripts) key should do your job (beware the admins/owners of the two servers though). SSL can do the job of secure transport, but it only works one-way (domain1 is certain that it talks to domain2, but not vice versa). How do you stop a rogue domain3 to post the same data to domain2?
Post Reply