Solved

Hosted Websites

Posted on 2014-09-25
7
225 Views
Last Modified: 2014-09-28
Hello, I have 15 wesbites hosted by various 3rd party providers such as Go Daddy and fast hosts. Sometimes people have to input their personal information such as name, date of birth and address. What should I be looking for in terms of security that the 3rd party hosting Companies should be providing to protect the websites from being hacked and its data ?

DNRRP
0
Comment
Question by:DNRRP
7 Comments
 
LVL 17

Expert Comment

by:bigeven2002
ID: 40345407
Hello,

For starters, if your domains do not have SSL certificates, that is a must as the user is submitting personal information.  GoDaddy offers SSL certs for about $70 a year starting.  I don't know about the other.  Once the certificate is applied, verify that you can access your form page with the HTTPS protocol.  If so, update your form pointer links to go to the HTTPS version and/or configure the form page header or the server's htaccess file to force that form page to only show in HTTPS.

Next, where is the data being submitted to?  Is it emailed, or is it stored in a database or file?  It would be best to store in a database which you can retrieve from GoDaddy's hosting tools such as phpMyAdmin.  Alternatively, you can create a password protected administrative page that has access to the database records.  Strong Password protection can be setup with a session login script or HTTP authentication.  The administrative page should not be advertised, i.e. don't have a link to it on other site pages.  Also if possible, if the link is discovered, the bad guys will naturally try to break into it with the methods below or brute force.  So create a lockout based on IP or even restrict page access based on IP.

Lastly, to help prevent hacking, make sure your form page has the appropriate protections against cross site scripting and SQL injection.  In other words, cleanse the data being submitted by using form validation.  Insert the cleansed data into your database.

Hope this helps.
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 40345467
Besides of bigeven2002's tip - which focus on security by means of cracking the website's user interface - you should also have an eye on the security of your management access interfaces and the system ressources ... recent versions of the underlying software and a tight update schedule, fast reaction on security leaks, complex passwords and SSL when accessing the management interfaces (web & ftp).
0
 
LVL 58

Expert Comment

by:Gary
ID: 40346426
If all you are storing is name, date of birth and address then there is no security implications as that data can be found easily from many public sources.

It becomes a security issue if you are storing things like credit cards where you need to be using SSL and db encryption
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:DNRRP
ID: 40347322
Thank you all for this valuable information.

From reading your comments I would need to ensure the following for.anu 3rd Party Hosting Company that hosts my websites and stores personal data.
1) SSL Certificate.
2) Use of Complex passwords to the website backend management interfaces.
3) Prompt update schedule  of the website software as soon as this has been released.

There has been no mention of encryption of the data submitted on the website or data access contr? .  I.e Who has access to the data submitted on the hosted third party servers by the hosting company themselves or how long they keep the data ?

DNRRP
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 40348130
Encryption is used by SSL During the transmission of data.  You can use encryption on the data itself before storing into database if desired.  if your form uses PHP, it has encryption functions for the variable data.  But of course if you store the data encrypted you will need a way to read the data. So use a two way encryption algorithm and then have your administrative page supply the key to decrypt the data that is selected for viewing.  The data will stay in the databases indefinitely until you manually remove it or cancel your hosting plan.  The hosting companies may have different retention policies for data after a plan is canceled, so you will need to confirm that with them.
0
 

Author Comment

by:DNRRP
ID: 40348299
bigeven2002 - Really appreciate the information you have provided, I have never setup two way encryption algorithm on a Go Daddy or fast host site. Do you have any links or information on this ?
0
 
LVL 17

Accepted Solution

by:
bigeven2002 earned 500 total points
ID: 40348904
Certainly.  Mcrypt is probably the most common method and a good starting point.  You specify the key and cipher strength as parameters.  Here is the official page on that function.

http://php.net/manual/en/function.mcrypt-encrypt.php

Another thing I would recommend is using base64 to translate the encrypted string into a hex data format which makes it more data store friendly.  Then decode the base64 before decrypting the data for viewing.

http://php.net/manual/en/function.base64-encode.php

http://php.net/manual/en/function.base64-decode.php

So basically it would work like this.  When the form data is submitted to your handler page, use Mcrypt to encrypt the data, then use base64 to encode the encrypted data, then store the encoded data into your database.

Then on your administrative page, select the data from your database, have the handler decode the data from base64 and then use Mcrypt to decrypt the data and then output to your page.

It may be a bit confusing but this is how I have done it in the past.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
retrieving files from old server once DNS has changed 10 72
PHP connection to remote AWS MySQL RDS 4 145
Are online paid surveys a scam ? 2 62
Checking https returns 301 21 54
With a software solution, you always get to control email signatures and have the final say on the design - not an unrelated department or the uninterested end user.
A great marketing strategy is diverse.  Read about the not so popular, yet effective, marketing tactics you can start using today!
An overview of how to create reports in Adobe Analytics (formerly Omniture Site Catalyst) using pageNames, events, eVars and props. This video will show you how to install the Omniture Debugger tool so can see (and test) what is being passed int…
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question