1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Encrypting web sites - Resources

Discussion in 'General Programming Chat' started by Meraman, Mar 22, 2010.

  1. Meraman

    Meraman Regular Member

    Joined:
    Nov 28, 2009
    Messages:
    210
    Likes Received:
    107
    Location:
    MyComputer
    Where is a good site that informs about encrypting web sites?

    Let me say that I am not not asking anyone to teach me (it is not even for me anyway), just the name of a place where I could get concise and to-the-point information on how to code encrypting quickly .

    Thanks a lot.
     
  2. smack

    smack Junior Member

    Joined:
    Feb 1, 2010
    Messages:
    182
    Likes Received:
    80
    Occupation:
    Software Engineer/Evil Genius
    Location:
    inside .NET
    when you say encrypt a website, what do you mean?

    are you talking about encrypting all of your pages, or just certain user/proprietary data that you store?

    if you're just speaking to specific pieces of data then there are a few things to think about.

    there are loads of encryption techniques at your disposal, some do a better job of certain actions than others. for example when you have a user login table you will probably want to hash the passwords to obfuscate them to view using something like SHA1. this is preferred to a full public/private key encryption (in this instance than other options) because it is theoretically more secure since hashes are a "one way" type of encryption. if someone gets a hold of your code base they still can't decrypt your passsword file, it is also faster on a login action to compare a hashed value to a hashed value than to do a full decryption of an encrypted value to compare the plain text.

    now there are other types of data that you will want to do a full encrypt/decrypt with. a good use case to illustrate this would be if you store credit card information to allow the customer the ability to "quick reorder". then you would want to use something like Triple DES with a public/private key. this will allow you to store the number in a relatively secure manner (nothing is ever 100% secure), and decrypt it later when you need to send that number along with your order data to your processor.

    so depending on what you're looking to do there are a myriad of different options and techniques that you can leverage to accomplish your goals. in specific reference to my example of credit card data there are even industry regulations from payment companies called PCI DSS (payment card industry data security standard) that outline best practices for not only how your code and algorithms should function, but also physical and access level security of your networks and hardware.

    here are some general links to get your internal dialogue going:

    *just a note to keep in mind. MD5 and AES are both considered broken at this point.

    Code:
    http://www.networkworld.com/columnists/2007/011707miliefsky.html
    https://www.pcisecuritystandards.org/
    http://www.15seconds.com/issue/000217.htm
    http://en.wikipedia.org/wiki/Cryptographic_hash_function
    http://en.wikipedia.org/wiki/Triple_DES
    http://en.wikipedia.org/wiki/SHA_hash_functions
    
    so give a little more detail on what you're trying to accomplish. i am far from an expert on encryption, but i would be willing to bet that there are plenty people on this board who are. :)
     
    • Thanks Thanks x 2
  3. smack

    smack Junior Member

    Joined:
    Feb 1, 2010
    Messages:
    182
    Likes Received:
    80
    Occupation:
    Software Engineer/Evil Genius
    Location:
    inside .NET
    well there are some good DRM solutions available if you're worried about content theft, but nothing is ever 100%.

    generally all it takes is a couple chinese teenagers with some free time. haha.
     
  4. Meraman

    Meraman Regular Member

    Joined:
    Nov 28, 2009
    Messages:
    210
    Likes Received:
    107
    Location:
    MyComputer
    Thanks for the great explanation, smack.

    What I meant for encryption is just a simple way to scramble the source code of some sites, no credit card info, state secrets or anything like that.

    My goal is to avoid my mostly illiterate internet competitors to steal my source code since some already did. These competitors are brick and mortar companies, not online firms.

    I saw some sites where the code is just letters and numbers in hexa instead of our alphabet so the search egines can read it but humans can not.

    And if they hire some chinese teenager hacker, well, so it's life...

    Thanks again.
     
  5. voyevoda

    voyevoda Regular Member Premium Member

    Joined:
    Mar 21, 2010
    Messages:
    217
    Likes Received:
    97
    Location:
    Eastern Front
    This is incorrect. MD5 and AES are not "broken". They're not even the same thing, anyways. MD5 is a hashing algorithm; AES is a symmetric block cipher.

    MD5 has known collisions, but you should be using HMAC-SHA256 for message signing. MD5 should only be used for generating checksums of non-critical files and whatnot.

    AES has a few proposed attacks (they vary depending upon the key size you're using), but they're only viable for a small number of rounds. Schneier and Ferguson recommend using Serpent over AES and even their own algorithm, Twofish, in Practical Cryptography.

    </crypto nerd>
     
    • Thanks Thanks x 1
  6. smack

    smack Junior Member

    Joined:
    Feb 1, 2010
    Messages:
    182
    Likes Received:
    80
    Occupation:
    Software Engineer/Evil Genius
    Location:
    inside .NET
    ah ok, gotcha. you're probably looking for something more along these lines then?

    Code:
    http://www.voormedia.com/en/tools/html-obfuscate-scrambler.php
    http://www.designerwiz.com/generator/encryptHTML.htm
    http://javascript-source.com/javascript-obfuscator.html
    http://www.webreference.com/programming/optimize/
    
    ** just a disclaimer, i've never used any of the products or tools in those, just google "html obfuscate and that's a few of the better looking results that came up.

    there's also some nifty server side code obfuscaters around as well. .NET specifically has DotObfuscater community edition built in to the IDE. :)
     
    • Thanks Thanks x 1
  7. Meraman

    Meraman Regular Member

    Joined:
    Nov 28, 2009
    Messages:
    210
    Likes Received:
    107
    Location:
    MyComputer
    Appreciated.

    Will certainly take a look on hose resources.
     
  8. smack

    smack Junior Member

    Joined:
    Feb 1, 2010
    Messages:
    182
    Likes Received:
    80
    Occupation:
    Software Engineer/Evil Genius
    Location:
    inside .NET
    i'm well aware they're not the same thing.

    i've heard quite a bit of chatter about md5 being broken.

    Code:
    http://www.neowin.net/news/md5-encryption-broken-microsoft-warns
    http://www.aladdin.com/CryptographyBlog/post/2009/01/SSL-is-not-broken%3B-MD5-is-and-has-been-for-a-long-time.aspx
    http://en.wikipedia.org/wiki/MD5
    seems pretty damn broken to me?

    my fault about AES, i meant DES. i suppose "broken" might be a harsh term, but for my money if the us government says it is unfit to protect its data i would feel its also unfit to protect mine.

    Code:
    http://www.rsa.com/rsalabs/node.asp?id=2227