Posted by Anze on 10/10/07 18:16

Hi!

Just had an idea and I'd like to hear your comments - or better yet, links
to information on how to easily do this.

Let's say you want to have accounting information of the company on the web
so the clients can check their status anytime. But you don't have your own
server or do not trust the administrator of the server with the data. So,
the idea is that the administrator is the hacker you wish to lock out, at
least so he can't read the data. Is this possible?

I guess the data could be encrypted before it is sent to the server, saved
in some DB there and then decrypted on a client machine when it comes back
from the server.

The problems I see are:
- where would the client key reside? I guess in a cookie, but it should be
installed there and kept permanent...
- the administrator could have access to PHP pages too so he could alter
them and get the key through XSS attack

Yeah, I know, get your own server and an administrator you can trust... Any
other idea? :)

Any comment on this would be appreciated.

Thanks,

Anze

• Next in forum: 'require_once' or 'include' security question
• Prev in forum: Re: time
• Thread view: public / private key client side encoding

[Reply to this message]