Mobile app version of vmapp.org
Login or Join
Chiappetta492

: Need private personal access to ~three PHP pages I would like secure access to the text output by three PHP scripts (the text output is JavaScript and html) . The security level is much less

@Chiappetta492

Posted in: #Https #Php #Security

I would like secure access to the text output by three PHP scripts (the text output is JavaScript and html) . The security level is much less then financial data but important none-the-less. I have considered purchasing AND studying https and SSL certificates. Hostgator charges an extra /month for a private ip plus + anually for a certificate. This is more then I want to spend for this project (time + money).

Is there a simpler solution that is:


less expensive
easier to implement.


I'm open to different approaches.

10.03% popularity Vote Up Vote Down


Login to follow query

More posts by @Chiappetta492

3 Comments

Sorted by latest first Latest Oldest Best

 

@Kimberly868

Any custom code you write (or you) you do to display this output "securely" within the browser with SSL/TLS will be open to MITM attacks (see JavaScript cryptography considered harmful): browsers don't give you any way to verify the authenticity of the code you're running (going through all the JavaScript code whenever you use it is quite unrealistic).

You get a few options:


If you don't expect the output to be read from a browser, you can make your server encrypt the data, then you can save it from your browser and decipher that file using another application.
Some shared hosting services will still serve your content at www.yourserver.example/ using their own certificate (only valid for yourhost.example, but not yourserver.example).
If this works in your case, and if you can trust that the certificate presented to you by the server is realistically that of the server on which your service is hosted (e.g. a cert that would be valid for yourhost.example), you can add a permanent security exception in Firefox (for example). This is usually not acceptable if your site is for more public use, but if you can judge that you can trust that server certificate, you will still have all the benefits of SSL/TLS when connecting to that server. This is clearly not ideal and require some of your own judgement when setting such exception. In your case, if the certificate you get for www.yourserver.example/is valid for secure1.hostgator.com (or something like that), it would seem reasonable to assume you're connecting to your shared server.
Use your host's shared SSL facility (as they seem to provide one). The URL won't look like it's yours, but it should at least be secure without any specific exception, and it's fine for personal access.


EDIT: To clarify the point about custom code.

Most modern browsers have a key/cert container (e.g. Software Security device on Firefox at least) where private keys can be used for SSL/TLS client authentication.

In this case, the private key is always controlled by the browser itself, and never given away to any page or script. However, browsers generally don't expose the private key in the same way for use by JavaScript so as to be able to decrypt some content without giving full access to the private key itself: in this case, you could never be certain that the key isn't sent to some other server, especially in a context where a MITM attacker would have been in a position to alter the script (which is unverifiable, since you can't really see the code you're running on a page).

There is a Mozilla JavaScript extension (signText) that should protect the key for signing the correct way, but there's nothing to decrypt. There are also on-going efforts to make more cryptographic operations available, but this isn't ready at this stage (it's not clear whether it will be implemented in IE either).

10% popularity Vote Up Vote Down


 

@Reiling115

If you want a secure access to your server, it is very difficult to do it without SSL. You could try to encrypt your data, but if someone is eavesdropping, he can do exactly the same as the browser would do, to decrypt the data.

There are hosters with good solutions for this though. The hoster i am using myself, offers a free SSL connection with an URL of the form [mydomain].[hosterdomain].ch . For yearly, you get a certificate for your own domain, this without the need for a private ip address.

Technically it's also possible to create a certificate yourself, there are two problems with this approach. First you have to find a provider that allows to install such a certificate, and second your browser will give a warning and the user will have to accept this certificate manually.

10% popularity Vote Up Vote Down


 

@Angie530

Given that you want the information to be secure (or as secure as is practical) in transit, you will want to encrypt the output of your PHP scripts using a password (or, preferably, a public key) stored on the server before returning the result and then decrypt the results locally with the password or private key.

A review of client-side libraries would suggest that jCryption could be used for this task with sufficient configuration, however, this variety of implementation is not documented at the jCryption site and implementation details would be more appropriate to StackOverflow.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme