I wonder if somebody could give me some guidance on this.
I manage a website programmed in PHP and having MySQL backend. Recently some of my clients raised concerns about the security of their data. It is not credit card information or so, however I would like to sort it out.
I have a button on the web site which the clients click to tell me that their data should now be analysed and a report sent to them. My php program pulls out the records for this particular user and writes them into an excel file on my web space(on a shared hosting). The same php program then attaches this excel file to an email and sent it to me.
I want to make sure that this data in the excel file is securely transmitted during the above process.
Any help would be much appreciated.
Yes exactly,I want to protect the content of the attachment from any e-mail snoopers. I am not worried about the ‘inside attack’.
I am going to have a look at your suggestions.
What is the exact attack surface that you are trying to defend? As I understand it, you simply want to protect the e-mail from being read by man-in-the-middle attackers. Is that correct?
The first thing that you need to realize is that the data itself is vulnerable to anyone else on the shared hosting server (that doesn’t necessarily mean it can be hacked in practice, but it can in theory). As such, there is no way to adequately shield your data from attackers “on the inside.” The only real protection that you can build is against e-mail snoopers.
For this you should look into some sort of OpenPGP encryption for the e-mail. If you’d like to roll out your own solution rather than relying on other software, you need to look into public/private key encryption (e.g. RSA). I believe that the OpenSSL extension has the functionality that you require. Keep your private key safe on your home computer and give the server your public key for encryption.