All geek questions in one place

Create robust web security

I have seen many sites that claim to have banking-grade security encryption. if their websites were built using php, what other forms of security can exist besides using mysql_real_escape_string and 128-bit ssl encryption?

+4
source share
5 answers

When a company advertises Government Strength or Bank Class, they are likely talking to the FIPS 140 cryptographic standard. Most often, cryptography is not a problem in providing a real system.

For example, this USB dongle is extremely vulnerable, and it used the FIPS 140 point of sale with the AES256! The 128-bit number is massive, and AES128 is compatible with FIPS 140. Having more bits is just a competition for penis measurement. The US government is hardly a role model for secuirty because Twitter can break cryptography , and this was not due to the size of the encryption key.

+1
source

Prepared statements will be a good start. A big improvement over worrying about escaping strings that are not 100% reliable.

http://php.net/manual/en/pdo.prepared-statements.php

In addition, these statements, although probably factual, are stupid - intended for people who do not understand the security of the website. Here are a few examples of other forms of security that have nothing to do with "banking class encryption"

  • Strictly enforce strong password policies
  • Updating your server software
  • If your server is configured correctly first
  • Clear user submitted content for all XSS attempts.

You can add many more to this list. I still need to learn a lot about security, but I hope you get started.

0
source

The fundamental rule of secure authentication is that there are three types of things to verify β€” what you know, what you have, what you have. You must use at least two of them. (Banks usually use a password, smart card, or mobile phone.)

Regarding β€œbanking-grade security encryption,” I would suggest that marketingspeak is for using SSL, as the client-server connection is the only place where encryption is needed. (You must use and use your passwords, but this is not entirely encryption.)

0
source

Many companies believe (or try to convince their customers) that they are protected because they use strong cryptography. If an attacker wants to infiltrate his site , the last thing they will do is try to break cryptography . They will look for low-hanging fruits such as SQL injection, buffer overflows and CSRFs. Most vulnerabilities are not due to weak cryptography, but because the underlying security principle never trusts user input . Do not get me wrong, cryptography is an important component, but using this does not mean that you are safe.

A good place to start is to look at the many resources available to protect websites. Here are a few:

0
source

banking class security notice

[so in the original] I think I would run a mile if I saw this on a website!

But seriously ... it’s easy to get an SSL certificate, and those used by banks for these clients are no different from those located elsewhere (except, as a rule, they are backed up by a much larger amount).

However, financial institutions in Europe and North America have very specific restrictions on how they manage and encrypt data (for example, BS7799), which determine not only technical standards, but also operational practices. Therefore, stating that you have SSL as secure, since banks are a very partial truth - and really just a marketing turn.

But to solve your question .... which seems to be in full swing; all the way to β€œHow to make my site secure?”, having a certificate and using mysql_real_escape_string (), barely scratches the security surface. The correct answer would fill several books. You can start by reading what Steffan Esser and Chris Schifflet posted on the Internet.

FROM.

0
source

Source: https://habr.com/ru/post/1309954/

More articles: