I am working on a wordpress plugin. My plugin requires some data to be transferred from user's wordpress to my site (on server side). I can use cURL for that but I want to provide little security. I cannot use HTTPS or SSL because this data is not that sensitive which worth paying for certificates. How can I do that? Some public-key private key algorithm or something? And in which format should I transfer data? They are few strings. Can you suggest me a secure way for this? I am concerned about MITM attacks. Thanks.
Asked
Active
Viewed 425 times
1
-
I think the only way would be to use SSL. Your plugin source code will be public so you cannot use any private-key based encryption. – laurent Jun 20 '12 at 04:05
-
SSH (**public/private keys**) or a self-signed certificate for HTTPS should work just fine (just requires *consumers* trust). SSH is nice because then tools like SCP or SFTP can be used (instead of cURL, for instance). HTTPS is nice because it's HTTPS. – Jun 20 '12 at 04:05
-
1Self-signed SSL certificates are free. – jordanm Jun 20 '12 at 04:05
-
Can't it be like, data is encrypted with my public key and I can decrypt it using my private key? So it won't be issue if source code is open to users. I am using shared hosting for now, so I can't use self signed certificates also. – ksg91 Jun 20 '12 at 04:12
-
It was *almost* like someone suggested SSH (push, pull or forward). For encrypted archives/files/messages, see PGP. If only *verification* is needed (e.g. not encryption), consider a simple hash (MD5 or SHAx) checksum. – Jun 20 '12 at 05:17
-
SSL certificates are cheap, or isn't your time worth $30 a year? – Devraj Jul 19 '12 at 10:57
3 Answers
1
I am not sure if this would be a solution but you can always read the info from your end. Can you collect the information into local file (in the client's plugin folder) and then remotely read it from your server (by some crone script) on regular basis ? and use something like
file_get_contents("http:// wordpress pluginfolder ..... etc. ???
... plugin folder is always in the same place so the URL shouldn't be an issue ... for the "securely" part, just protect the file so only you can read it
Milan
- 3,209
- 1
- 35
- 46
1
Is providing the user (who has their own wordpress site) a unique "token" to store in the plugin's config an option?
If you have a token for each user, and the user has a matching token, the data can be encrypted and decrypted with that token.
The token itself is never communicated alongside the encrypted data, so any man in the middle would have a lot harder time decrypting it (not impossible, but the best you'll get without SSH).
Dean Rather
- 31,756
- 15
- 66
- 72
-
Yes, this is what I want. But what algorithms should I use to encrypt the data? – ksg91 Jun 24 '12 at 16:47
0
I am using following approach to transfer secure data over HTTP.
Data is a Request object, which I am serializing. Now this serialized object is encrypted using mcrypt_encrypt() as below
$encrypted=base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));
as mentioned here and POST that encrypted data to my host using curl.
On my host, I decrypt the data using
$decrypted = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($encrypted), MCRYPT_MODE_CBC, md5(md5($key))), "\0");
and then unserialize the object. I am also adding salt for greater security.
For more detailed explaination, you can visit this post
