The Developer Day | Staying Curious

CAT | Security

I was really happy to see that most of the Drupalcon 2008 talks videos were published. There are a few general talks that I would like to highlight.

One talk that really impressed me was “Rasmus Lerdorf keynote - Simple is Hard“. I found it to bee very interesting, exciting, funny and shocking. It opened my eyes to some extent not to overdo with abstractions and mega layers and take a look at simple things like transactions per second. The inclued pecl extension just blew my mind. Sadly there isn’t a DLL compiled for windows. But I’m definitely trying out this extension on our applications to see what kind of a mess we have.

There were also a few by Rasmus about PHP security at the end of the presentation that were really interesting. Few other talks worth mentioning: “Indexes and denormalization: keys to scaling sites with massive content” a nice introduction to indexes and how they work. And most importantly how you can’t have indexes on two tables using open source relational databases and how denormalization helps.

High availability solutions for MySQL: An Overview and practical demo” this one speaks for itself. If you are interested in replication, clusters and that alike this talk is for you.

, , , , , Hide



“Essential PHP Security” Book Review

Essential PHP Security Book Cover

Essential PHP Security” is an introduction to the PHP applications security written by Chris Shiflett. Though you could say that it suits any other language too. Well atleast to some point it does. It is a really short easy read. Developing PHP applications for quite a few years I have never tried to take a look at all the security issues in one place to see if I’m up to date. To say the truth I expected something more but that is why the book name includes a word “essential”. Let’s take a closer look at the book.

Chapter I - Intro

Basically it tells you to avoid the deprecated register globals (that are going down in PHP6), turning on the error_reporting(E_ALL | STRICT), “Defense in Depth”or otherwise adding additional “safeguards” where possible to make it harder for the attacker, “Least Privillege” or otherwise giving only required permissions,  writing simple, elegant code to easier spot security issues.

Chapter II - Forms and URLs

Basic, basic, basic .. Don’t do things like [email protected],  use is_file_uploaded() and move_uploaded_file() for uploads, prevent XSS using htmlentities with ENT_QUOTES and the encoding that you specified in the HTTP response of your application, the CRSF topic is quite old now but quite not taken seriously and a few thoughts not to take HTTP_REFERER too seriously.

Chapter III - Databases and SQL

Keep your db credentials outside of document root or atleast not visible from outside, better yet in server environment variables,  avoid SQL injections using database specific escape functions, prepared statements or addslashes() and encrypt stuff like SSN or credit card numbers.

Chapther IV - Sessions and Cookies

Things get more interesting here. Cookie theft or it’s just a subtopic of XSS, session fixation is a topic like CRSF - known for a long time and not taken seriously. For those of you that don’t know session fixation is about regenerating your session id every time a user in your application gets higher permissions like logging in. Also an old trick to check whether user’s USER_AGENT suddenly changed on every page load to make it harder for the attacker.

Chapter V - Includes

This chapter explains to keep as much as possible of your application outside of document root, filtering every user given variable that you use for includes with basename, realpath, pathinfo or any other tools. Also  disabling allow_url_fopen though I prefer disabling allow_url_include more.

Chapter VI - Files and Commands

Almost the same as Chapter V. Except that you learn new functions like escapeshellcmd() and escapeshellarg().

Chapter VII - Authentication and Authorization

A nice idea to use 15 second login timeouts to make it harder for the attackers while keeping the legitimate users safe. Use SSL.  Try to avoid persistent logins. And if you can’t don’t store sensitive information in the cookies like usernames or passwords. A really nice idea to generate one-time-use tokens that you save in cookies with a timeout for persistent logins and regenerate them every login.

Chapter VIII - Shared Hosting

It’s best to avoid PHP shared hosting. The book was written in 2005 when PHP had a lot more security issues. Most good hostings have virtual machines or have open_basedir, safe_mode enabled with lots of stuff disabled. Safe mode will be removed in PHP 6 but it has a really nice feature like allowing to run executables from a certain directory.

Apendix A

Not too interesting. Configuration directives. Disable allow_url_fopen, use disable_functions, turn display_errors off, disable enable_dl, set error_reporting E_ALL | E_STRICT, log errors, turn off magic_quotes_gpc, set memory limit 8mb if you can, use open_basedir, turn of register_globals, use safe mode.

Apendix B

Avoid eval, avoid functions that allows to execute commands on the server, use includes carefuly, be careful when using preg_replace modifier /e.

Apendix C

Nice idea to use salt when generating password hashes to make rainbow tables ineffective.

All in all it’s a very good book to get started. Maybe not as detailed as the latests Steffan Essers recent findings but if only every site on the web would do the things described in the various book chapters… Projects like show how secure the web really is. And for the last words .. It’s not the PHP that is not secure .. Enormous amount of effort was put into PHP to make PHP more secure.  Just to give you an idea listen to “The state of PHP security” or read about what Steffan Esser is doing. Yes there still are security bugs in PHP .. But honestly like Steve Balmer would say it’s all about: Developers, developers, developers. PHP deserves a better name.

, , , Hide



Internet security. How safe is it?

Did you know that most widespread encryption algorithm in electronic commerce is RSA? For two computers that have never communicated before to start a secure conversation RSA uses a public key and a private key.

For example if Tom wanted to send a secure message to Suzi he would encode his message with Suzi’s public key and send it to her. The message can only be decoded using Suzi’s secret private key that only she knows.

Interesting thing is that a private key is made of two large distinct random prime numbers. And a public key is the product of those two numbers. So RSA is only as safe as it’s hard to find those two prime numbers using the public key to get the private key. But more interestingly it turns out to be almost impossible. There is no such efficient algorithm on earth to find those two prime numbers using a public key. It would take years to decrypt a single number. You can actually earn some money trying to decrypt RSA messages.

RSA key’s are typically 1024, 2048 bits long. A shorter 256 bit key can easily be decrypted using a home computer. A 512 key can be decrypted with a Computer Cluster. Even 1024 is not considered really safe anymore. Even more Shor’s algorithm proves that a RSA key could be decrypted as fast as a computer can do a quick sort. Though that would require us to have a quantum computer. It’s a theoretical device by now but who knows what the future holds? :)

There are other security attacks known, but they are way too much complex for a simple presentation like this. So..

Shop safely!

, , Hide

Find it!

Theme Design by