Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What should every web developer know about encryption?

Tags:

php

encryption

I've just landed a PHP5 gig. I won't be handling the parts of the application that involve super sensitive data, but I still know embarrassingly little about security and encryption methods. I only know the very basics (don't store passwords in plaintext, don't allow users to run code using post data, etc). What do I need to know to keep my applications secure, and where can I learn it?

like image 258
jcw Avatar asked Aug 03 '09 18:08

jcw


People also ask

What is encryption in web development?

Better known as encryption, this protection method masks digital information so that only those with the correct encryption key can decipher it. Understanding encryption is crucial as you manage your own website and develop or design websites and apps for your clients.

What information do you need to design an encryption strategy?

An effective encryption strategy looks at what data is considered sensitive, where it is located, how it moves in and out of the organization, what the risks of the data being stolen or compromised are, how the data is utilized (operationalized) within the organization, and what the organization's short and long term ...

Is cryptography used in web development?

With the shared session key established during the handshake protocol, Symmetric-key cryptography can be used to encrypt data between the browser and server.


2 Answers

Learn the difference between hashes and encryption. Encryptions are generally two-way interpretations of a string. I can encrypt my password, and then decrypt it to plaintext again. The idea behind hashes are that they become a one-way 'encryption.'

On my sites I store passwords as hashes. Anytime a user signs on, I re-hash their provided password, test it against the hash stored in the database and approve if they match. I cannot send them their password if they forget it, since (generally) there is no way for me to know.Two different strings can translate into the same hash, which makes it (generally) impossible to find out what the original string was.

This is one issue that is good to get a firm understanding of, and discern when to use encryption vs. hashes.

like image 78
Sampson Avatar answered Oct 09 '22 04:10

Sampson


Know not to write your own encryption functionality. An existing, trusted library is best way to go wherever possible. Avoid cool, bleeding edge technologies that lack many successful programmer-hours and user-hours behind them. Know not to trust the functionality you choose until you've thoroughly tested it yourself, first-person. Keep abreast of new developments which may antiquate your chosen functionality overnight. Know that just because you're using the best encryption technology available today that you've protected nothing if you leave the keys on the table (e.g., cleartext is not in a cache or stored in another table in the same database, private keys not left in the open)

like image 27
Bob Kaufman Avatar answered Oct 09 '22 03:10

Bob Kaufman