317 Providing Secure Transactions You should note that some people will disable features that they consider a security or privacy risk, such as Java, cookies, or JavaScript. If you use these features, you should either test that your application degrades gracefully for people without these features, or consider providing a less feature rich interface that allows these people to use your site. Users outside the United States and Canada might have Web browsers that only sup- port 40-bit encryption. Although the U.S. Government changed the law in January 2000 to allow export of strong encryption (to non-embargoed countries) and 128-bit versions are now available to most users, some of them will not have upgraded. Unless you are making guarantees of security to users in the text of your site, this need not concern you overly as a Web developer. SSL will automatically negotiate for you to enable your server and the user’s browser to communicate at the most secure level that they both under- stand. We cannot be sure that we are dealing with a Web browser connecting to our site through our intended interface. Requests to our site might be coming from another site stealing images or content, or from a person using software such as cURL to bypass safe- ty measures. We will look at the cURL library, which can be used to simulate connections from a browser, in Chapter 17,“Using Network and Protocol Functions.”This is useful to us as developers, but can also be used maliciously. Although we cannot change or control the way that our users’ machines are set up, we do need to bear it in mind.The variability of user machines might be a factor in how much functionality we provide via server-side scripting (such as PHP) and how much we provide via client-side scripting (such as JavaScript). Functionality provided by PHP can be compatible with every user’s browser, as the end result is merely an HTML page. Using anything but very basic JavaScript will involve taking into account the different capabilities of individual browser versions. From a security perspective, we are better off using server-side scripting for such things as data validation because, that way, our source code will not be visible to the user. If we validate data in JavaScript, users will be able to see the code and perhaps circum- vent it. Data that needs to be retained can be stored on our own machines, as files or database records, or on our users’ machines as cookies.We will look at using cookies for storing some limited data (a session key) in Chapter 20,“Using Session Control in PHP.” The majority of data we store should reside on the Web server, or in our database. There are a number of good reasons to store as little information as possible on the user’s machine. If the information is outside your system, you have no control over how securely it is stored, you cannot be sure that the user will not delete it, and you cannot stop the user from modifying it in an attempt to confuse your system. The Internet Like the user’s machine, you have very little control over the characteristics of the Internet, but, like the user’s machine, this does not mean that you can ignore these char- acteristics when designing your system. 19 525x ch15 1/24/03 3:41 PM Page 317 318 Chapter 15 Implementing Secure Transactions with PHP and MySQL The Internet has many fine features, but it is an inherently insecure network.When sending information from one point to another, you need to bear in mind that others could view or alter the information you are transmitting, as we discussed in Chapter 13. With this in mind, you can decide what action to take. Your response might be to n Transmit the information anyway, knowing that it might not be private. n Encrypt or sign the information before transmitting it to keep it private or protect it from tampering. n Decide that your information is too sensitive to risk any chance of interception and find another way to distribute your information. The Internet is also a fairly anonymous medium. It is difficult to be certain whether the person you are dealing with is who they claim to be. Even if you can assure yourself about a user to your own satisfaction, it might be difficult to prove this beyond a suffi- cient level of doubt in a forum such as a court.This causes problems with repudiation, which we discussed in Chapter 13,“E-commerce Security Issues.” In summary, privacy and repudiation are big issues when conducting transactions over the Internet. There are at least two different ways you can secure information flowing to and from your Web server through the Internet: n SSL (Secure Sockets Layer) n S-HTTP (Secure Hypertext Transfer Protocol) Both these technologies offer private, tamper resistant messages and authentication, but SSL is readily available and widely used whereas S-HTTP has not really taken off.We will look at SSL in detail later in this chapter. Your System The part of the universe that you do have control over is your system.Your system is represented by the components within the rectangular box as shown previously in Figure 15.1.These components might be physically separated on a network, or all exist on the one physical machine. It is fairly safe to not worry about the security of information while the various third-party products that we use to deliver our Web content are handling it.The authors of those particular pieces of software have probably given them more thought than you have time to give them.As long as you are using an up-to-date version of a well-known product, you will be able to find any well-known problems by judicious application of Google or your favorite Web search engine.You should make it a priority to keep up-to- date with this information. If installation and configuration are part of your role, you do need to worry about the way software is installed and configured. Many mistakes made in security are a result of 19 525x ch15 1/24/03 3:41 PM Page 318 319 Using Secure Sockets Layer (SSL) not following the warnings in the documentation, or involve general system administra- tion issues that are topics for another book. Buy a good book on administering the operating system you intend to use, or hire an expert system administrator. One specific thing to consider when installing PHP is that it is generally more secure, as well as much more efficient, to install PHP as a SAPI module for your Web server than to run it via the CGI interface. The primary thing you need to worry about is what your own scripts do or not do. What potentially sensitive data does our application transmit to the user over the Internet? What sensitive data do we ask users to transmit to us? If we are transmitting information that should be a private transaction between us and our users or that should be difficult for an intermediary to modify, we should consider using SSL. We have already talked about using SSL between the user’s computer and the server. You should also think about the situation where you are transmitting data from one component of your system to another over a network.A typical example arises when your MySQL database resides on a different machine from your Web server. PHP will connect to your MySQL server via TCP/IP, and this connection will be unencrypted. If these machines are both on a private local area network, you need to ensure that net- work is secure. If the machines are communicating via the Internet, your system will probably run slowly, and you need to treat this connection in the same way as other connections over the Internet. It is important that when our users think they are dealing with us, they are dealing with us. Registering for a digital certificate will protect our visitors from spoofing (someone else impersonating our site), allow us to use SSL without users seeing a warn- ing message, and provide an air of respectability to our online venture. Do our scripts carefully check the data that users enter? Are we careful about storing information securely? We will answer these questions in the next few sections of this chapter. Using Secure Sockets Layer (SSL) The Secure Sockets Layer protocol suite was originally designed by Netscape to facilitate secure communication between Web servers and Web browsers. It has since been adopt- ed as the unofficial standard method for browsers and servers to exchange sensitive infor- mation. Both SSL version 2 and version 3 are well supported. Most Web servers either include SSL functionality, or can accept it as an add-on module. Internet Explorer and Netscape have both supported SSL from version 3. Networking protocols and the software that implements them are usually arranged as a stack of layers. Each layer can pass data to the layer above or below, and request services of the layer above or below. Figure 15.2 shows such a protocol stack. 19 525x ch15 1/24/03 3:41 PM Page 319 320 Chapter 15 Implementing Secure Transactions with PHP and MySQL Figure 15.2 The protocol stack used by an application layer protocol such as Hypertext Transfer Protocol. When you use HTTP to transfer information, the HTTP protocol calls on the Transmission Control Protocol (TCP), which in turn relies on the Internet Protocol (IP).This protocol in turn needs an appropriate protocol for the network hardware being used to take packets of data and send them as an electrical signal to our destination. HTTP is called an application layer protocol.There are many other application layer protocols such as FTP, SMTP and telnet (as shown in the figure), and others such as POP and IMAP.TCP is one of two transport layer protocols used in TCP/IP networks. IP is the protocol at the network layer.The host to network layer is responsible for con- necting our host (computer) to a network.The TCP/IP protocol stack does not specify the protocols used for this layer, as we need different protocols for different types of net- works. When sending data, the data is sent down through the stack from an application to the physical network media.When receiving data, data travels up from the physical net- work, through the stack, to the application. Using SSL adds an additional transparent layer to this model.The SSL layer exists between the transport layer and the application layer.This is shown in Figure 15.3.The SSL layer modifies the data from our HTTP application before giving it to the transport layer to send it to its destination. HTTP FTP SMTP … TCP/UDP IP Various Application Layer Transport Layer Network Layer Host to Network Layer SSL Handshake Protocol SSL Change Cipher HTTP SSL Alert Protocol … SSL Record Protocol TCP IP Application Layer SSL Layer Transport Layer Network Layer Host to Network Layer Host to Network Figure 15.3 SSL adds an additional layer to the protocol stack as well as application layer protocols for controlling its own operation. SSL is theoretically capable of providing a secure transmission environment for protocols other than HTTP, but is normally only used for HTTP. Other protocols can be used because the SSL layer is essentially transparent.The SSL layer provides the same interface to protocols above it as the underlying transport layer. It then transparently deals with handshaking, encryption, and decryption. When a Web browser connects to a secure Web server via HTTP, the two need to follow a handshaking protocol to agree on things such as authentication and encryption. 19 525x ch15 1/24/03 3:41 PM Page 320 321 Using Secure Sockets Layer (SSL) The handshake sequence involves the following steps: 1. The browser connects to an SSL enabled server and asks the server to authenticate itself. 2. The server sends its digital certificate. 3. The server might optionally (and rarely) request that the browser authenticate itself. 4. The browser presents a list of the encryption algorithms and hash functions it sup- ports.The server selects the strongest encryption that it also supports. 5. The browser and server generate session keys: 5.1 The browser obtains the server’s public key from its digital certificate and uses it to encrypt a randomly generated number. 5.2 The server responds with more random data sent in plaintext (unless the browser has provided a digital certificate at the server’s request in which case the server will use the browser’s public key). 5.3 The encryption keys for the session are generated from this random data using hash functions. Generating good quality random data, decrypting digital certificates, and generating keys and using public key cryptography takes time, so this handshake procedure takes time. Fortunately, the results are cached, so if the same browser and server want to exchange multiple secure messages, the handshake process and the required processing time only occur once. When data is sent over an SSL connection, the following steps occur: 1. It is broken into manageable packets. 2. Each packet is (optionally) compressed. 3. Each packet has a message authentication code (MAC) calculated using a hashing algorithm. 4. The MAC and compressed data are combined and encrypted. 5. The encrypted packets are combined with header information and sent to the net- work. The entire process is shown in Figure 15.4. One thing you might notice from the diagram is that the TCP header is added after the data is encrypted.This means that routing information could still potentially be tam- pered with, and although snoopers cannot tell what information we are exchanging, they can see who is exchanging it. The reason that SSL includes compression before encryption is that although most network traffic can be (and often is) compressed before being transmitted across a net- work, encrypted data does not compress well. 19 525x ch15 1/24/03 3:41 PM Page 321 . communication between Web servers and Web browsers. It has since been adopt- ed as the unofficial standard method for browsers and servers to exchange sensitive infor- mation. Both SSL version 2 and version. with handshaking, encryption, and decryption. When a Web browser connects to a secure Web server via HTTP, the two need to follow a handshaking protocol to agree on things such as authentication and. long as you are using an up-to-date version of a well-known product, you will be able to find any well-known problems by judicious application of Google or your favorite Web search engine.You should