Advanced security questions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
volomike
Forum Regular
Posts: 633
Joined: Wed Jan 16, 2008 9:04 am
Location: Myrtle Beach, South Carolina, USA

Re: Advanced security questions

Post by volomike »

Or just switch to PostgreSQL.
examancer
Forum Newbie
Posts: 14
Joined: Mon Jan 05, 2009 5:39 pm

Re: Advanced security questions

Post by examancer »

volomike wrote:Or just switch to PostgreSQL.
What is the advantage there? Can it create full-text indexes for encrypted columns, without exposing the data?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Advanced security questions

Post by Mordred »

Can it create full-text indexes for encrypted columns, without exposing the data?
Full-text indices do leak information about the document. There is no (to my knowledge) support for FT indexing of encrypted text, but any alternative solution you may come to will still suffer from this (inherent to the indexing process) information leakage. Be sure that you know how to deal with it - limit the access to the search functionality only to the document owner, create "personal" search indices which are also encrypted with the owner key, etc.

Otherwise getting hold of your FT index will let the attacker know which documents (belonging to which users) contain "bomb", "plane", "smurf the government", "<insert deity> akbar", etc.
There's always a balance between security and usability, make your choice on which of the two sides to lean.
examancer
Forum Newbie
Posts: 14
Joined: Mon Jan 05, 2009 5:39 pm

Re: Advanced security questions

Post by examancer »

Good information. I was figured indicies had to leak some of the data and you have confirmed that. However, a light bulb went off when you said this:
Mordred wrote:...create "personal" search indices which are also encrypted with the owner key
This sounds like a great solution. I was looking at some of the tools I have been pointed to for maintaining my own indexes, and I'm sure I could come up with a way to create and maintain indexes for my users, then serialize and store their personal index in the database (encrypted of course), allowing me to offer fast search without breaking security.

THANK YOU!
aschlosberg
Forum Newbie
Posts: 24
Joined: Fri Jan 23, 2009 10:17 pm

Re: Advanced security questions

Post by aschlosberg »

Not sure if anyone has pointed this out but you have an XSS vulnerability in the way you display the username. Try logging in with the username <script>alert(1);</script> - you can execute any Javascript that you want to.

EDIT: XSS - http://en.wikipedia.org/wiki/Cross-site_scripting
Post Reply