HTTPS and encrypted database is really secured in shared hosting?

Question

Hi folks,

I read all posts on HTTP over SSL. So far, I know how to get the data securely in a Web form. But I miss the part of recover and keep the data in the same way. I need in my Website a form to collect sensible data from customers (may be also credit cards numbers for booking, but no credit card authorization process is required) and later keep and read that data in a secure way.

Then, for a basic secure Web application I need:

a) Web site with SSL Domain Validated (DV) Certificate (I don't have fixed IP address. I use basic shared or "virtual" hosting service).

b) Develop a simple PHP & MySQL application that collect sensible data of customers, putting all the app PHP files on the SSL secure folder.

c) All the collected data is gonna be stored in the server MySQL database.

This is the questions part of my message:

1) If I enter later using phpmyadmin to take look at the database over regular hoster services (HTTP), isn't this insecure??

2) What about the hosting administrators? They could also read all sensible data if I use plain text in the database. But encryption methods for data on the server (not only in transmission over SSL) could be enough? Isn't true that the encryption encoding/decoding method could be intercepted by the hosting administrators?? (consider this: the method is inside the application in the same server). I can't pay the convenience and security of an own server.

3) Considering those things, and assuming that they are true... really matter if I go for a database encryption?

May be I missed something or I misinterpreting some issue.

Thanks a lot for your help and patience.

Answer 1

1. It is.

2. They can.

3. Not really but it could still be a good idea. Someone could get hold of your database and not the PHP source code. Then encryption in the database would be a good thing.

You are correct. The only way to be sure is to run your own server. Also you should know about the Payment Card Industry Data Security Standard.

Answer 2

1) Seeing the data with phpmyadmin over HTTP is insecure, of course.

Regarding 2), if you don't have physical security, then you can't have any security (perhaps with the exception of storing encrypted data which you encrypt and decrypt outside the hosting site).

As your hosting company has access to the computer, they can read all your data.

Having said that, in my experience hosting providers will not do that and try to keep your data safe (because that is their business), pretty much in the same way banks' business is to try to keep your money for you and safeguard it and not taking it.

3) Go for database encryption only if you keep backups. For running the live version it provides little more security (if at all) and makes things more cumbersome.

Answer 3

1. Yes. HTTP is insecure.
2. Yes, plain text in the database is insecure. Encrypted is slightly more "secure" - it'll deter someone who casually looks through - but anyone with access to the server also has access to the script doing the encrypting / decrypting.
3. I'd say yes. Encryption in your case won't do a thing against a dedicated attacker, but it'll prevent some sysadmin idly browsing through from immediately having the data without having to make the deliberate step to break in.

I hope you're not storing credit card or other sensitive data, particularly if covered by privacy laws in your jurisdiction. Storing that sort of stuff on a shared server will probably get you sued. If nothing else, storage of credit card data in this manner will be a violation of your merchant account - if they get wind of it, Visa and MasterCard will become unavailable to you.

Answer 4

These shared hosting plans are not really up to the job of collecting credit card numbers - you are betting using a payment gateway and not storing them yourself.

See some regulations on this: PCI

Answer 5

Having an encryption/decryption process entirely on the server is, as you suspect, mere obfuscation and not secure in itself. It can help in cases of a partial compromise, where an attacker gains read access to the database (typically through an SQL injection hole) but no ability to read the site scripts or run arbitrary code.

If you only need to write out sensitive data (canonically credit card numbers) that the server doesn't need to be able to read back in, you can do that with public key cryptography. Encrypt the data with your public key, then read it only on a known-secure machine that has the corresponding private key. This protects past data in the case of a greater compromise where the scripts are readable, and in the case where an attacker gains write-access to the scripts, they at least only get new incoming data leaked, and not the old stuff. Hopefully that would give you time to detect the intrusion and rebuild.

Isn't true that the encryption encoding/decoding method could be intercepted by the hosting administrators?

Yes. But then the hosts have physical access to the machine, so could bang a rootkit on it that intercepted everything the webapp was doing on the fly from day one, if they really wanted. There's no way around trusting your host, so pick a reputable one and don't run sensitive systems on shared servers.

Answer 6

I think that bobince is totally correct. Public key crypto can help you but keep in mind that you loose comfort of using PHPMyAdmin to view the data - you will see garbage that will need to be decrypted somewhere on the side. See http://www.php.net/openssl to learn more about PHP and public key crypto.

Answer 7

Thank you for your help!! I'is very valuable and accurate.

Please keep in mind that I need a booking/reservation Web application, because the credit card info is keep only as a guarantee, and once read by a human will be immediately deleted from anywhere. If the site visitor confirms the purchase, off line credit card processing will be made.

1) What about if I encrypt all the PHP scripts on the server with an encryption software like www.sourcecop.com ? Then all the scrips with the encryption encoding/decoding method of the database will not be readable by the hosting admins. This is true?

2) SourceCop (or another similar software) have a rational security?

3) An alternative is using third party service like:

http://www.web-form-buddy.com/html-wfb/secure-forms.html

Any experience in this service?

Thanks again!!