I have written apps that run on both iPhone and Android. They make calls (HTTP POST requests) to a PHP script on my Ubuntu server that retrieves queries from MySQL server there, etc.
Basically I want to encrypt these messages going back and forth. I have the additional constraint that I am on shared hosting and so do not have root (or sudoer) access on my server.
What is the best way to implement this? I don't want something where I have to pay verisign for a cert (I know very little about security). I am thinking it will somehow involve a public/private key scheme, but I am not sure what is the best method for this.
any thoughts? thanks.
If you are on a shared hosting server, it is likely a bit of a challenge (and, depending on the provider's setup, impossible) to secure your keys from other users. Plus, reinventing the encryption wheel is generally a bad idea. So I wouldn't go that route, especially if you aren't knowledgable about security.
The easiest solution is to use SSL. If you really don't want to get a cert from Verisign (or Comodo or whomever), use your provider's default SSL cert. If they have things set up so that your SSL server will use a cert for https://www.YourHostingProvider.com/, then you should be able to make that work, perhaps with a bit of homework. (MediaTemple is set up that way, where you get their cert if you don't have your own. Not sure about other hosting providers.)
Do try to educate yourself about the elevated risks involved in doing this on the cheap. For example, depending on the setup, it's possible that anyone else on the shared hosting service could impersonate your site if they are sufficiently skilled and determined, since they may have access to the same SSL private key you're using.
If you're securing game high scores or something, that will probably be OK. If you're securing credit card numbers or people's personal health information, this is definitely not the way to go. You don't want to store that kind of information on a shared hosting service, and you definitely don't want to be so resource starved that you're reluctant to buy an SSL cert.
Related
I deal a lot with self-signed SSL certificates as I deploy the systems in offline environments. The problem is that for example Chrome users has to deal with "dangerous site errors" etc, also if I want to even use GuzzleHttp library for connecting to any other service I have to setting secure to none. What's the best way to deal with it?
If you have a Selfsigned certificate this can be made trusted to the specific system that you use. If others from your office uses it then they may need to add this Selfsigned certificate as trusted by adding it to their system certificate store to make this trusted.
When it comes to office environment it is better to contact the Administrator and add the certificate to all the systems (certlm.msc in run for local machine / certmgr.msc for current user) so your colleagues won't get this dangerous site errors.
My office network provides internet access to my employees when they connect to it through the office's router. I want to make a web application in which only computers connected to the internet through my office router, can access. So that my employees have to be in my office area before they can login into the php web application.
If they are connected to the internet, but not through my office network they should not be able to log in to the application. (I know I could have deployed the php app in a local server setup in my office but I want the app to be on a remote server on the internet for my personal reason).
What hardware do i need to setup my office network and how do I make PHP detect the id of the hardware of my network so php can determine that a request is coming from my network.
Some options to recognise your private office from a public website:
IP address
This will only work if you know what IP address is in use at any given time by your allowed clients. In the case you use a NAT gateway, this has to be the outside address.
It becomes pretty easy to do this if you have static IP addresses for all your allowed clients, if they change, it quickly becomes a nightmare to keep them right at all times.
Security: since HTTP is based on TCP it's not trivial for other to get to use your IP address through spoofing, but it's by far not foolproof either. Consider it a poor-man solution at the very best.
Caveat: if any of your staff can get remotely to their machine, they can access it remote (so e.g. a time registration system is going to get circumvented by this quickly)
VPN
VPN stands for Virtual Private Network.
This is the goto solution from a security perspective. Essentially you build up tunnels between either individual clients or networks as a whole with the VPN server.
On the central end of those tunnel(s), your webserver answers to web requests (but not to the internet at large).
There is a whole range of VPN products out there. There are equally relatively easy to build solutions using free software (e.g. OpenVPN).
Things on how the client (network or computers) will authenticate to the server and what traffic is attracted to the VPN and much more are all possible parameters you can set.
Security: it depends a bit on the choices made, but unless unproven or outdated solutions are picked, this can be done "top notch". It is however in skill level probably just above your typical IT shop around the corner (but you might be in luck).
Same remark as above: your staff that can gain access to it, might be tunnelling into their machine at work or might use credentials and settings on an office machine at home as well.
DNS
reverse mapping of IP to names is far too easy to spoof, don't try this.
Login/Password
This is a relatively easy solution: allow access from anywhere, but give authorised users a login and password and let them have access after being logged in properly.
Security: It's non-trivial to get this fully secure, there's plenty of opportunity to make errors in how the application works so that it becomes a problem.
But if you have to have a zero footprint on the clients, this is your best option.
Add in 2 factor authentication to increase the password security and make passing on passwords a bit more difficult.
TL;DR
I'd setup an OpenVPN based VPN, they are relatively easy to setup, the clients exist for most OSes (take care not all: e.g. iOS: I don't know of one) and it'll give you more than average protection without you having to delve deeply into the details of encryption protocols and the like.
Still there's a learning curve, but there's plenty of tutorials out there that don't assume much prior knowledge either.
For your clients you setup a certificate-based authentication system using EasyRSA (included with OpenVPN). It's a bit of a habit you need to create, but once setup properly, adding and removing users becomes relatively painless.
On your server all you need to do is make sure the http server only binds to the IP address of the tunnel interface.
Didn't really know what title to give this question so I hope its acceptable.
I am using a system which has an API. I don't have a lot of control over this system, but one thing I need for security reasons is for it to be locked down to my IP. This works, so now the system can only be accessed from my IP.
Now, I have built a custom app which uses the above API. This app is hosted on a server which is different from my IP address. Therefore, when I try to make the API call it fails due to it being restricted. I know this is the case, because if I run the app locally from my location, it works without any problems.
So, the question is whats the best thing to do? I know I could add the IP address of the server which is hosting my app to the systems API. However, I think the servers IP is dynamic which could cause problems. I have also used things like no-ip locally to control my dynamic IP, but I cant imagine I can install this on my web server.
Looking for thoughts as to how I can overcome this problem.
Thanks
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed last year.
Improve this question
I have a question with security point of view, it might sound silly but i'm very interested to know. If someone uploads his code on shared hosting (assuming some general US based web hosting companies where it cost about $5 to 10$ a month), is it secure there? Would the other users hosted on same servers somehow access the code? (and of course the hosting administrators can access?) In that case is it really safe to host on shared hosting companies?
This depends on how the individual web hosting company have setup there systems.
You need to trust the company you are hosting with but any half decent hosting company should have it locked down so customers can't access each others code. It is always a risk that someone with access to the same server could find it easier to access your data but again this shouldn't be a massive issue with a trusted well known provider.
The best bet is to read company reviews and see what existing customer think about them.
If the company has properly configured the server, no -- other users on the same server will not be able to see your code. However, the administrator will be able to, and may state this in the contract agreement.
Review the contract when purchasing shared hosting to see what rights the administrator claims. Usually, they'll only access your data when there is a problem, such as any indication you are running a script that violates your contract agreement.
Additionally, regardless of the contract agreement, an administrator will likely be required to provide access to law enforcement if they have a warrant, based on the laws local to the country where you are hosting. They may or may not be allowed to notify you, again, based on local laws.
If you're concerned about intellectual property, just make sure you're using a reputable company for hosting. Chances are, stealing your code isn't worth the risk.
Well, the hosting administrator has obviously access to your code, but of course they should have some policy that prevent for usage of your data.
Other user could not "generally speaking" see your code, but this strongly depends on server configuration. For example, if some other webmaster host a web application in the same server and this is exploited, it is possible that also your application is affected.
Moreover, it could be easyer for other user using the same server to access your data instead of a "normal" attack to a private server.
btw, you should be a good sysadmin to protect a server better than a pros that does this thing all day long, so, it basically depends on your system admininstration knowledge.
As you posted this question, you're probably not that good in this kind of stuff, so you may think as a shared hosting like something acceptably secure. (of course, it also depends on what do you want to host)
More professional shared hosting providers use a mod_suphp/suexec setup. That provides a pretty reliable demarcation between users. And going from there you can often work reliably without conflicts from other users.
Of course you still have to live with the performance impacts of a shared server. And an exploit in the system libraries can be taken advantage from any of the other accounts still.
There is no any fully secure web hosting, even if it is a dedicated server.But in most cases, dedicated servers are much more secure than share hosting. With dedicated server, you own a physical server while going with shared hosting, you share a server with others and there are so many factors you cannot control,such as neighbors.
Let's come back to shared hosting security. Though there is no any fully secure shared hosting, you can find a more secure one. The security largely depends on what your web host do with security while you can leverage it too. If your web host has poor secure configurations, it is more possible for hackers and even neighbors to access your account and data.
What you need to do is to go for a shared hosting with higher secure configuration, like advanced firewall, if you can only afford a shared hosting. Here you can check out http://tutorials.hostucan.net/what-to-consider-when-pick-up-a-secure-hosting to see how to select a secure hosting.
If they use Cloud linux instead of Centos
CSF production tools , SSL , other security plugins and configurations the shared hosting is secured ,
If you purchase dedicated server or vps you have to purchase all the licence , security plugins for the same configuration its very expensive
My Recommendation If its shared or dedicated server use cloudlinux and install paid csf plugins and add human verification robots in your site make your site secure , avoid free plugins and theme in your site or theme
Shared hosting means a single server is shared between multiple users. So, when it comes to security it depends on the hosting providers as there are some techniques through which they isolate the environment of an individual user. But still, all users have the same server IP that somehow put them in danger and security breach.
I always prefer a dedicated or separate setup for my websites and I used Cloudways. I have a dedicated server IP and my server resources aren't shared between multiple users. I'm feeling pretty secure with CW.
I was wondering if there's a way to control access to a website on a similar way than app licensing works, allowing only given computers on the entire Internet to access them... I can't find a way to uniquely identify a given computer OR to discard all machines except the authorized ones... I don't want a user/password approach as it can be shared.
Your best option here is SSL certificates. Get the client to send you a certificate signing request, sign it with your custom CA, and give them a certificate to use to connect to you with. Ensure that it ties directly to a particular hostname, the hostname of the system. Not entirely fool proof, but better.
IP addresses change. MAC addresses can be spoofed. Computer names are set by the user, and computers can change locations, operating systems, hardware components, and owners.
There's a reason that the username/password combination is so prevalent on the web. And, personally, if it's secure enough for Google, it's secure enough for me.
You can limit the access by IP restriction or mac address restriction. Http server such as apache have access control modules. You can find more information about it from http://httpd.apache.org/docs/2.2/howto/access.html