NYCPHP Meetup

[David Krings]

Joe Leo wrote:
> Wow, I really appreciate the feedback and some of the many comments i am 
> getting to my original question. I ask my original question not so much 
> I have some secrecy of any kind of application. As I mentioned, I'm not 
> much of a programmer in practice. I'm just getting interest in the 
> encryption technology as a whole and since I have not really used any of 
> them I wanted to get an idea how effective they are.

Ah, so you are not really creating a PHP application, but only want to inquire 
about encryption technologies? While that is a valid question to ask, you 
seemed to be asking more for an entire protection package, which encyption is 
only a small part from. I used to work for a company that makes electronic 
locks. A simple battery powered mortise lock starts at 1,000$. I once was 
asked by an IT services manager at a university which lock I recommend they 
put on the server room. I told him that it doesn't matter as long as the walls 
are made from sheet rock and one can just crawl in through the plenum anyway. 
The way I see it, the lock is the encryption piece you are looking for, but 
you don't ask about the fact that physical access to the server is easy and 
that someone even left a cart right next to it.
If you want to learn about encryption technology I'd recommend a walk to the 
local library and take a look at what they got. After that a good question to 
ask is who on this list made use of encryption technologies. You may also want 
to contact the various encryption tool vendors, but be warned that they will 
mail you constantly their marketing garbage. I did that once because I wanted 
to get a free 512MB USB drive. VeriSign still owes me the drive, but they make 
sure that my recycling bin is full.

> Now the feedback with the questions and comments I am getting are good, 
> in that, they make me think why would I use it and to achieve what 
> purpose. What I've been hoping to gain from asking my question is then 
> why & when to use such encryption tool - especially, when hosting your 
> data remotely by a hosting provider.

Ah, ok, but repeating myself here, only looking at encryption when using 3rd 
party hosting is really not the right approach in my opinion. You also need to 
see that the database and the web server are not necessarily on the same 
system. And you look only at file encryption as it seems, you need to look at 
data transfer encryption as well, which is a different animal and depends on 
what the server and client is. When the client is a browser you likely will 
have less choice of what kind of encryption you can use. Also, I mentioned 
obfuscation earlier, which is not the same as encryption. And you need to ask 
if encryption is really necessary and if you can secure the systems by other 
means as effectively.

> 
> My thought is if encryption techniques like TrueCrypt works - Why not 
> use it regardless who is your hosting provider. Or, having to consider 
> questions like who you trying to protect data from. I mean, when you buy 
> a nice bran new expensive car you have a key to lock the doors and some 
> go further to put in a car alarm or car tracking device. Who you're 
> trying to prevent from stealing your car is no brainer question to 
> consider - IMO. One knows that locking the door and/or having a car 
> alarm is a deterrent - Though not 100% guaranteed. Maybe my example is 
> not the best but just trying to raise a point.

Well, encryption comes at a cost, the performance of the entire system will go 
down and that may require that you create parallel system(s) to handle the 
load. Things get really complicated then.
Besides that, I always leave my car unlocked. Want to steal my crappy 29.99$ 
radio? Go right ahead. Gives me a reason to buy a better one. But please don't 
smash a window, which is way more expensive to replace. Or take the entire car 
and please don't have police find it. I have a cheap car that brings me from A 
to B. I just don't see the point in expensive cars who have big engines, are 
heavy and use excessive amounts of gas - but I guess that is not the point of 
this discussion.


> In my question to deploy some encryption on my data would (help) 
> minimize people stealing private data - Why not use it, especially if 
> there's not much performance penalty.

Why would encryption help when I can take the entire server and take my time 
decrypting the data? Or if I can use some off the shelf equipment from 
RadioShack and software off the web to capture and decipher the EMF from the 
client's mouse, keyboard and monitor? Tests have shown that one can read input 
and output this way from an office across the street.

> 
> David, regarding you comments below:
> 
>     So are you worried about encryption during uploading or about
>     encryption while executing the scripts on the server and serving up
>     content - or both? What other security measures did you include?
> 
> 
> You've hit the right questions I am looking to understand. The answer is 
> both. From what I understand about a tool like TrueCrypt I can encrypt 
> say my webfolder (web site) and upload it to my hosting provider. And, 

The way I understand it is that you can encrypt it once it is at your provider 
and need to decrypt it once you want to use it. At least that is what I got 
from the articles I read in the past, but I haven't read any more technical 
info about it. But uploading an encrypted folder requires that the hosting 
provider has servers that can decrypt the folder. Again, I don't think that 
file encryption is really the thing to look first at.


> what I am trying to understand is can the encrypted data remain 
> encrypted and still serve content. Or, once I upload the encrypted data 
> must I need to decrypt it to serve the content? I am not concern about 

You need to decrypt it at some point, the latest is at the client, unless you 
find persons that can decrypt digital data on the fly. I don't think these 
persons exist.


> data being encrypted out to the users browser. SSL takes care of that - 
> right? So, if it is that I can encrypt and it remains encrypt while 
> serving content then this is not a bad solution. And, of course one can 
> take other measures like ssh to the server to actually keep access to it 
> secure.

i don't know what SSL takes care of, but I don't think that SSL is what is 
used for file encryption. As mentioned before data transfer encryption and 
file encryption are two different things.

Say, you aren't writing some paper for the school that is due tomorrow, do you?

David