1

I have a PHP file which my clients will execute on their server. It constantly communicates with my server. Now, how can I prevent this communication from eaves-dropping and man in the middle attacks without SSL? The reason I do not want SSL is that I am using file_get_contents in the client PHP file to contact server (openSSL/CURL may disabled on client so I am forced to use file_get_contents without SSL).

Thank you for your time and effort.

Vishnu
  • 461
  • 3
  • 18

3 Answers3

2

you can encrypt the sensitive data and decrypt it.

the packets will be visible, but the actual data should be safe.

both servers will need the encryption/decryption keys

galchen
  • 5,252
  • 3
  • 29
  • 43
0

Only solution for this problem will be to have a custom built scrambler do the job. I did not wanted to go that far so decided to not transmit any important information and let those communications be done manually.

Vishnu
  • 461
  • 3
  • 18
  • Custom built encryption is the absolute opposite of security. This is creating an interesting puzzle, drawing more attention to your data than you really want/need to. This is putting a big flashing neon sign on your data, with the message "**decrypt me!**" Always, always, always use a well tested, battle hardened encryption system. – Ghedipunk Jun 18 '15 at 18:19
0

To prevent the need for pre-shared private keys, you could also look into a public key option such as GPG which would only necessitate the servers that wish to contact you having your public key, but only you could decrypt the data with your private key. This alleviates the need for a pre-shared private key on both ends of the transaction.

majic bunnie
  • 1,395
  • 2
  • 10
  • 21