Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 5 of 5
  1. #1
    Junior Member
    Join Date
    Feb 2014
    Posts
    2
    Member #
    38499

    Maximum Security

    I am attempting to create a website that is un-readable to those who I do not want it read by. Not unhackable, I realized this is pretty much impossible, if somebody is dedicated enough it will get hacked. But un-readable is possible, as my website is going to be dealing with information, not files or products, and if the encryption is strong enough, it will be nigh impossible to decrypt.

    I have a couple of ideas to do this.

    First Idea, PGP. I encrypt the whole page with PGP, and then give out PGP keys to those who I want it to be read by. This is hard, and I would prefer that seperate people have seperate keys made by themselves. That way if one person gets compromised it doesn't compromise the whole system.

    Next, I was thinking of a script that deals with GnuPG or something similar, but there is a flaw with this. I will get to it later.
    So the user enters their PGP key, the site compares it to a key in a SQL database or a list. If it is in there, it will continue on and encrypt the information in their key, and output it too them. The MAJOR flaw with this is that I either have to store un-encrypted data on the webserver, or have it encrypted but store the key on the webserver. Either way, if somebody hacks/has access to the server, it defeats the whole purpose.

    I am currently trying to think of a way that makes it un-readable. I am talking completely, irrevocably, unreadable. So much so that it will resist the best NSA/DHS hackers and cryptanalysis, and other unnamed organizations that are out there.

    Any suggestions?

    I know that the weakest link if I pull this off would be the computers accessing the site itself, they would be able to be hacked and the private keys downloaded. I have ideas to combat that as well but this isn't the forum for them.

    I realize this topic may scare some people, OH MY GOD HE IS DOING STUFF HE DOESN'T WANT THE GOV. KNOWING ABOUT... Yes. It isn't illegal, but I don't wish them to know about it, because I believe in my rights and privacy. That being said, if this topic isn't wanted here, delete it and I will ask elsewhere.

  2.  

  3. #2
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    Now, I'm not a security expert and I don't claim to be...but I do know a little about it because I have to deal with it when I build e-commerce sites. So here's what I understand.

    First things first...there is no two-way security measure that is foolproof. Doesn't exist. No matter what happens, every security measure has a counter or a hack or some other way to get into it at some point. It might not be obvious, and it might not be easy, but it's always there. That's the nature of encryption and decryption...the decryption in and of itself represents a hole in the security. It has to by its very nature. The best you're going to be able to do is to make it a waste of time for all but the most dedicated of hackers to come at you, and that's usually good enough given that most hackers tend to target things with a higher payload.

    Second, I'd study up on PCI compliance standards if I were you and try to implement the suggestions they give. The guys who design and implement those standards have to keep their security game tighter than the CIA because they have people coming at them from all sides. For example, one of their simpler things to implement is disabling of autocomplete on any and all forms...that way, even if a user's computer is hacked, the password form itself won't autocomplete. The user may have the password stored elsewhere in a file, and that's beyond your control, but they can't autocomplete it.

    Third, the server has to be up to date at all times along with any associated software. If you build your site correctly from a security standpoint, it's a lot more likely that the server will be hacked than the site will. This is going to be your big problem, especially if you're going to get into the crosshairs of NSA/DHS.

    Fourth, look for a language that requires or at least allows the option for a compiler. If your server should get hacked, then compiling your code makes it that much harder to figure out. I know ASP.net has this option. I believe Python does as well, and a few others.

    Fifth, security by obscurity. There's a group of people out there that suggest that this is a flawed idea because it's not foolproof. I'm not one of them...the more unique and more obscure and difficult you make your security methods, the harder it will be for a hacker to try things and given that you're only one person, the less likely it is to be worth it to the hacker.

    Sixth: SSL. Get one. If privacy and interception is that important to you, get an SSL. I hopefully won't have to explain why.

    Seventh: your content itself. It doesn't matter how you encrypt it. If you put it on a web page in pure HTML form, you're going to have issues with people saving the pages on their browsers for offline use and/or other methods of distribution. You can't stop this no matter how hard you try. The content, once delivered to the client, will be decrypted and the client can do what (s)he wants with it. So if you're doing something or saying something that could potentially get you into that much trouble, be aware that at some point it can end up out in the open no matter what you do and there isn't a thing you can do to stop that. You can't stop people from viewing source, downloading web pages, copying/pasting content into Word docs, etc. Again, the only thing you're going to do is make it harder for people.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  4. #3
    Junior Member
    Join Date
    Feb 2014
    Posts
    2
    Member #
    38499
    Yeah, I realize that. I need to reword the unreadable to super hard to read.

    What I am going to be doing isn't illegal, morally or otherwise, but if what I think is correct, it will still get me in trouble, eventually. Thanks for all the tips, I will definitely use some of them. I am going to be using TOR, not a regular domain name, which adds an amount of security, but even that can be traced eventually its just a matter of time, like anything else.

    I do want to use PGP in my messages, however, as an added layer of security. So that way if somebody manages to get through all the other layers, they will have to find one of my users, hack his computer, and grab his private key.

  5. #4
    Banned
    Join Date
    Apr 2014
    Posts
    13
    Member #
    38859
    1st rule of hack club:


    Don't talk about hack club


    I don't even know why you'd post something like this on a web design forum anyway. If you are so consumed with creating secrecy and security, why are you posting this here? Go read some books on linux security and design a good network...

  6. #5
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    He's trying to create an unreadable website. The question does make sense.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 12:05 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com