Magento Security

Configuring MySQL SSL in Magento (to get your HIPAA auditor off your back)

I’ve been asked a few times now if there is a way to use encrypted MySQL connections in Magento. Most of the time it is when merchants are selling medical products and HIPAA requirements come into play. I am not an expert in HIPAA, nor do I want to be, but with the cost of vulnerabilities on the rise it made sense to at least look into it and get a good answer on how to do it.

Opinion Security

We don’t need better authentication

I saw a tweet today concerning authentication. Monaco, at White House cybersecurity summit at Stanford, calls for replacing passwords with more secure technologies. — Paul Krill (@pjkrill) February 13, 2015 When reading that the first thing that came to my mind was “with what?”  When will that one be hacked and then replaced by something else,Continue Reading “We don’t need better authentication”

Random

Hash value sizes

For giggles, here are examples of hashes for the SHA1, SHA256 and SHA512 hashing mechanisms. Code 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 echo hash_hmac( ‘sha1’, openssl_random_pseudo_bytes(32), openssl_random_pseudo_bytes(32) ) . "\n";   echo hash_hmac( ‘sha256’, openssl_random_pseudo_bytes(32), openssl_random_pseudo_bytes(32) ) . "\n";   echo hash_hmac( ‘sha512’, openssl_random_pseudo_bytes(32),Continue Reading “Hash value sizes”

Questions

What SSL $_SERVER variables are available in PHP

I found myself wondering what HTTPS variables were available in the $_SERVER variable today and didn’t find a specific list (and didn’t have mod_ssl installed).  So as a public service, here is what my server says. array(58) { [“HTTPS”]=> string(2) “on” [“SSL_VERSION_INTERFACE”]=> string(13) “mod_ssl/2.2.3” [“SSL_VERSION_LIBRARY”]=> string(25) “OpenSSL/0.9.8e-fips-rhel5” [“SSL_PROTOCOL”]=> string(5) “TLSv1” [“SSL_SECURE_RENEG”]=> string(4) “true” [“SSL_COMPRESS_METHOD”]=> string(4)Continue Reading “What SSL $_SERVER variables are available in PHP”

Security

Is prevention the best security practice?

I read a post tweeted by Chris Cornutt today.  The basic gist of the article is that your security is only as strong as your most ethically-challenged developer.  That got me thinking that we spend so much time trying to prevent intrusions when detection might be a better priority.  Some tactics, such as SQL Injection,Continue Reading “Is prevention the best security practice?”

Security

Generating secure cross site request forgery tokens (csrf)

I don’t talk much about security.  This is mostly because it’s such a moving target.  I’m also horrified that I might give bad advice and someone will be hacked because of me. But in researching the second edition for the IBM i Programmer’s Guide to PHP Jeff and I decided to include a chapter onContinue Reading “Generating secure cross site request forgery tokens (csrf)”

Database Security

How to use PHP with MySQL (without SQL Injection vulnerabilities)

Chris Dale recently posted a horrifying article on his blog.  It is called “Why it’s easy being a hacker – A SQL injection case study“.  The most horrifying part of the post was that when you type in the Google search “How to use PHP with MySQL” a significant number of the results come backContinue Reading “How to use PHP with MySQL (without SQL Injection vulnerabilities)”

Security Zend Framework

Encrypted session handler

A little while ago I had come upon the problem of having to store sensitive data in a user session. The solution that I (and several others came upon) was creating a mechanism for storing encrypted data in a session. But what we wanted to do was build something that didn’t have a single point of failure. We also wanted to build something portable. What we built was a simple Zend Framework session handler for storing sensitive data.

Random

Why you should be careful with phpinfo

I recently posted an image on why you shouldn’t put phpinfo() calls in your code.

There were a couple of comments from people asking “why not?”

Here’s why not.

Go to Google

Search for inurl:phpinfo

Check out the results

At the time of writing there were 4 pages on the first result page that were broadcasting their settings.

Here’s another fun one. Search for “inurl:phpinfo root”. Lots more.

There’s a bunch of information that you will see.