To all:
Part of the problem in discussing security is that there are all
sorts of security issues.
There is the obvious cleaning and scrubbing of data coming into your
site from outside sources such as from POST, GET, COOKIES, and such.
There's the security problem of communication between your users and
your server, thus HTTPS and SSL's come into play.
There is the security problem in what access your users have to your
data, such as in setting directory permissions, placing files
out-of-the-root, placing data in a database and controlling users
access to such data.
And then there is the security involved in what happens *if* your
server is hacked and all your "private" data is seen by a third
party. What does all that entail -- and -- how you might be able
protect yourself should be paramount in every developer's mind.
Now, I'm not a server guy, nor do I know what happens when a server
is hacked, nor do I know what data might be exposed. I will say it
would be nice to have a server guru, like Daniel Brown, wade in on
this and tell us what is the range of things that can actually happen
and what data might be exposed and how we might protect ourselves.
At this point, I don't know the answers to those questions, but in my
readings I found that if a server is hacked, then all data contained
on the site can be read by a third party. Even encrypted data can be
decrypted *if* the keys are exposed. In addition, access to the
database can happen if the user-name and password are kept in a file,
or code, that is exposed to the hacker after hacking. Everything is
exposed.
As such, that was my recent concern and my subsequent "Secure
Communication?" post -- it was a way to protect data.
Now, how likely is it that a server might be hacked -- again, I don't
know. However, I sent numerous emails corresponding with GoDaddy.com
as to what they would do *if* their servers were hacked and their
customer's sensitive data was exposed to a third party, which caused
their customers harm.
I assumed that GoDaddy.com had insurance policies and procedures in
place to mitigate damages for their customers, but unfortunately they
responded that each case would be handled on a "We'll see" basis --
and I think we all know what that means.
So, if you want to secure your data on a server, it means that you
should take steps to do that and not rely upon the host to do that
for you. Like I said, it would be nice to have a server guru wade in
on this to clarify things.
Cheers,
tedd
--
-------
http://sperling.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
