Skip navigation.
Home
Richards Blog
Home » Blogs » cyberlot's blog

Programming, Security and looking for a real solution!

Submitted by cyberlot on Thu, 04/05/2007 - 01:05

It seems like every week a couple more people post about PHP security, or any other language for that matter.

PHP is insecure!
Web 2.0 is insecure!
XYZ is insecure!

Why all the problems, sure PHP has its issues just like any other language. Whats the common factor in most cases? Thats pretty simple, Know thy data! Is it safe? Who did it come from?.. Wait a minute, "Who did it come from?" it came from the person on viewing the website.

Fact is theres no way to be sure, browsers support validation of websites but websites can't validate the person!

First suggestion is always to use SSL, but thats website validation, It protects data being sent to the website it does not however ensure that date came from the correct person!

What can we do? Problems are a dime a dozen but solutions those are valuable. Whats my solution? PGP (Pretty Good Privacy).

First is key generation

Browser Side
1. Lowest security option, Browser generates keys on install. This key follows the browser and can be used to identify the browser even across multiple visits.
2. Second option, Browser generates a new key on startup.
3. Most secure option, Browser generates a new key on each website visit.

Website Side
Generating a new keys for each connection would be to much for a server so maybe just on startup?

So now the browser has its own keys, on first connect to a website it sends a public key, gets the websites public key, it encrypts a ID using the website key and returns it, The website then returns the key encrypted with the browser public key.

Once you get the initial loop started your back to normal web transactions with the only diffrence being a added public key encrypted value being passed around back and forth for verification.

For long term a browser could "keep" a single key for a website and always supply the same key and use the same key providing long term protection to logging into a website.

So thats my 5 cents, I now open this up to other ideas, feel free to register and post, Don't be alarmed if your post doesn't show up right away there filtered and sometimes have to be manually approved.

»