by Kevin Schroeder | 11:34 am

Configuring MySQL SSL in Magento (to get your HIPAA auditor off your back)

I’ve been asked a few times now if there is a way to use encrypted MySQL connections in Magento. Most of the time it is when merchants are selling medical products and HIPAA requirements come into play. I am not an expert in HIPAA, nor do I want to be, but with the cost of vulnerabilities on the rise it made sense to at least look into it and get a good answer on how to do it.

  READ ARTICLE
659 words ()
by Kevin Schroeder | 1:33 pm

We don’t need better authentication

I saw a tweet today concerning authentication. Monaco, at White House cybersecurity summit at Stanford, calls for replacing passwords with more secure technologies. — Paul Krill (@pjkrill) February 13, 2015 When reading that the

  READ ARTICLE
521 words ()
by Kevin Schroeder | 8:27 pm

Hash value sizes

For giggles, here are examples of hashes for the SHA1, SHA256 and SHA512 hashing mechanisms. Code echo hash_hmac( ‘sha1’, openssl_random_pseudo_bytes(32), openssl_random_pseudo_bytes(32) ) . “\n”; echo hash_hmac( ‘sha256’, openssl_random_pseudo_bytes(32), openssl_random_pseudo_bytes(32) ) . “\n”; echo hash_hmac(

  READ ARTICLE
130 words ()
by Kevin Schroeder | 9:07 am

What SSL $_SERVER variables are available in PHP

I found myself wondering what HTTPS variables were available in the $_SERVER variable today and didn’t find a specific list (and didn’t have mod_ssl installed).  So as a public service, here is what my

  READ ARTICLE
475 words ()
by Kevin Schroeder | 1:05 pm

Is prevention the best security practice?

I read a post tweeted by Chris Cornutt today.  The basic gist of the article is that your security is only as strong as your most ethically-challenged developer.  That got me thinking that we

  READ ARTICLE
511 words ()
by Kevin Schroeder | 1:03 pm

Generating secure cross site request forgery tokens (csrf)

I don’t talk much about security.  This is mostly because it’s such a moving target.  I’m also horrified that I might give bad advice and someone will be hacked because of me. But in

  READ ARTICLE
461 words ()
by Kevin Schroeder | 12:12 pm

How to use PHP with MySQL (without SQL Injection vulnerabilities)

Chris Dale recently posted a horrifying article on his blog.  It is called “Why it’s easy being a hacker – A SQL injection case study“.  The most horrifying part of the post was that

  READ ARTICLE
1616 words ()
by Kevin Schroeder | 12:00 am

Encrypted session handler

A little while ago I had come upon the problem of having to store sensitive data in a user session. The solution that I (and several others came upon) was creating a mechanism for storing encrypted data in a session. But what we wanted to do was build something that didn’t have a single point of failure. We also wanted to build something portable. What we built was a simple Zend Framework session handler for storing sensitive data.

  READ ARTICLE
436 words ()
by Kevin Schroeder | 12:00 am

Why you should be careful with phpinfo

I recently posted an image on why you shouldn’t put phpinfo() calls in your code.

There were a couple of comments from people asking “why not?”

Here’s why not.

Go to Google

Search for inurl:phpinfo

Check out the results

At the time of writing there were 4 pages on the first result page that were broadcasting their settings.

Here’s another fun one. Search for “inurl:phpinfo root”. Lots more.

There’s a bunch of information that you will see.

  READ ARTICLE
186 words ()