I have seen many sites who claim to have bank grade security encryption. if their web sites have been built with php what other forms of security can exist aside from using mysql_real_escape_string and a 128bit ssl encryption?
A:
Prepared statements would be a good start. Big improvement over worrying about escaping strings, which is not 100% foolproof.
http://php.net/manual/en/pdo.prepared-statements.php
Also, those claims, while probably factual, are kind of silly - meant for people who don't understand website security. Here are a few examples of other forms of security that have nothing to do with to "bank grade encryption"
- Strictly enforcing a strong password policy
- Keeping your server's software updated
- Having your server properly set up in the first place
- Cleansing user submitted content for all XSS attempts
There is plenty more that can be added to that list. I still have lots to learn about security, but I hope that gets you started.
Syntax Error
2010-05-17 07:44:44
A:
Fundamental rule of secure authentication: there are three kinds of things to check - something you know, something you have, something you are. You should use at least two of them. (Banks typically use a password and a smartcard or mobile phone.)
As for "bank grade security encryption", I would guess that is marketingspeak for saying they are using SSL, as the client-server connection is the only place where there is a need for encryption. (You should hash and salt your passwords, but that's not exactly encryption.)
Tgr
2010-05-17 07:52:57
+1
A:
When a company is advertising "Government Strength" or "Bank Grade" secuirty they are probably talking bout the FIPS 140 cryptographic standard. Most often cryptography is not the problem in securing a real world system.
For instance this USB Key is extremely vulnerable and it used the "FIPS 140" selling point with AES256! A 128 bit number is massive, and it AES128 is FIPS 140 compliant. Having more bits is just a penis measuring contest. The US government is hardly a role model for secuirty because Twitter can break their crypto, and this is wasn't due to the cipher's key size.
Rook
2010-05-17 08:11:03
A:
Many companies believe (or try to convince their customers) they are secure because they use strong cryptography. If an attacker wants to break into their site the last thing they will be doing is trying to break the crypto. They will be looking for the low hanging fruit such as SQL injection, buffer overflows and CSRF. Most vulnerabilities are not because of weak crypto, but because the basic security principle never trust user input is not followed. Don't get me wrong, cryptography is an essential component, but using it doesn't mean you're secure.
A good place to start is to look at the many resources available on securing websites. Here are a few:
bignum
2010-05-17 10:19:58
A:
bank grade security encription
[sic] I think I would run a mile if I saw that on a website!
But seriously...its easy to get a SSL certificate, and those used by banks for customer data are no different from those elsewhere (except usually they are underwritten to a far greater amount).
However financial institutions in Europe and N. America have very specific constraints on how they manage and encrypt data (e.g. BS7799) which define not only technical standards but also operational practices. So claiming you have SSL as secure as the banks is a very partial truth - and really just a marketing spin.
But to address your question....which seems to boil; down to "How do I make my site secure?", having a certificate and using mysql_real_escape_string() is barely scratching the surface of security. A proper answer would fill several books. You could start by reading what Steffan Esser and Chris Shifflet have published on the internet.
C.
symcbean
2010-05-17 11:28:32