| w_ashley 2004-01-19, 6:32 am |
| "R Z" <bob_whale@yahoo.com> wrote in message news:<zMmCb.13521$aF2.1547484@news20.bellglobal.com>...quote:
> I am currenly in a process of setting up a server that will be accessible to
> the world and used by some 3000 registered users.
>
> The whole website will be powerded by php and MySQL, while authentication
> will be session based.
> I know that session cookies can be intercepted and then some reverse
> engineering can be done to obtain sensitive information.
>
> I am wondering if employment of Apache HTTPS would resolve the problem since
> all data would be encrypted when traveling between the client and the
> server?
>
> What the heck are those certificated that Verio sells? Do I need that to
> have a secure server?
>
> Thanks in advance
>
> R>
What about using encryptian or pgp services? note that it seems more
and more keys are being broken as time goes on even AES now. Hower
depending on the bandwidth overload it could be an idea. You could
also have the idea of MD5 kerebos etc.. checking or some virtual
service although it may make your servive more complicated. here is
an intro to verisign
http://www.verio.com/support/view_a...cfm?doc_id=669. The quetsion
is what information is sensitive? That is where the dilema exists. In
the case of credit cards etc.. confirmation of purchases etc..
personal information such as name etc.. isn't needed. Really the
situation is that trust is imposible anyway as far as online. It is
only with MAC IP binding and ISP structuring that a truely "location"
oriented services will come into play. It turns the net over to
structure and places control to the corps and government and they
can't yet completely control so with the infighting gone then the
people will be against them should they make any demands and those
demands even more apparent. So instead an orginized chaotic cloud is
inplace and people are slowly being cooroded until technology is
sufficent for domination.. either that or incompentence on the part of
corp to enforce legislation. Anyway essentially they are using
"orginized" standardized keys it seems.. I'd have to do more reading
on speficially how they work.
My advice however(not that its worth anything) is don't use sensitive
information allow product ordering and credit card info to be sent to
you by email etc.. and have an auto parsing system to do the orders
etc.. you don't need to send anything back except for a confirmation
of orders received etc.. or to supply the content purchased.
Subsciptions etc.. and online profiles shouldn't be needed on the
server instead they can be kept after the email sense and any changes
can be sent via a email template(tm). Although the difference of the
services may be something else. The way I see it the more layers you
add the more room for error there is, keep it simple and to the point,
ip2ip broadcasts .. the telephone system is the question and really
streams and caches shoulnd't exist so unless there is illegal activity
happening at the phone company side(isps) or someone slicing a
line(which isps should be able to monitor for errors and respond
immediately to line breaks etc.. even if they correct themselves)
thats really the only way that data "should" be able to be
intercepted. other wise one of the systems is cracked. Other then that
I geuss I have allot to learn. Any suggestions or information I don't
have that anyone want to share about data hijaks. Note set up your
email to be two oneway systems that is only accepts incomming messages
and anotehr that only does outgoing messages the server parser that
handles orders etc.. should be seperate from teh two only handing the
parsing of data from the email clients and not dirrectly accesable. I
have some other safe systems however I still have allot to learn. veri
as a social engineering agent much like itrust etc.. or etrust may be
good for building customer confidence with your site aswell as make
things easier for you to handle that is you don't need to be a crypto
'expert' nor do your customers. Just some ideas
|