Re: Can web site data be protected from access by the webmasters?

From: Skillman Hunter (ski@acrobyte.com)
Date: 06/30/02 

From: "Skillman Hunter" <ski@acrobyte.com>
Date: Sun, 30 Jun 2002 01:49:26 -0700

The client already has a contract for this project and knows
little about web site design or internet security.
Canceling a contract can be an expensive hassle.
The client contacted me after the fact of contract signing.
That the client did a stupid thing is a given.
Happens every day! That is why they hire folk like us.
(Consultant: Reads the books on clients shelf and tells
client what they say.)
I am trying to evaluate options to give the client the best
possible advice as to how to proceed from here.
The obvious answer is to fire the contractor.

But I don't want to overlook an obvious way the issue can be handled.
I am trying to anticipate what the other side may say,
"Oh sure, you can just have someone encrypt the SQL Server tables
and we will never be able to see the data."
But they could build an HTTPS web page that retrieves all the records
and lists them.
So my question seems to boil down to
"How does HTTPS/SSL interact with encrypted SQL Server tables?"
Can we have three passwords:
1) Users enter to submit new data or edit old data.
2) Web contractor enters to edit web pages, but they see encrypted data.
3) Full access to see actual data.
Seems like this is a good security plan even without the contract hassles,
given all the hack attempts I get on my system everyday.

Apparently Microsoft is pushing their "Palladium" system as a solution
to this kind of problem by tossing out TCP/IP and encrypting the
entire path from keyboard through microprocessor, NIC cards
and the internet:
See: http://www.pbs.org/cringely/pulpit/pulpit20020627.html

Skillman Hunter


"SQL Guy" <SQLGuy@EarthLink.Net> wrote in message news:#L#t26#HCHA.1600@tkmsftngp12...
> It's possible, but why bother? Just find a company which is not interested
> in the data.
>
>
> "Skillman Hunter" <ski@acrobyte.com> wrote in message
> news:#f4Cxe0HCHA.1748@tkmsftngp13...
> > One of my client's was interested in a web site and has contracted with
> someone to do it.
> > The site basically is for magazine subscriptions.
> > I have advised the client to be wary of security.
> > The person doing the site for the client is in the same industry as the
> client's.
> > And that person is asking for the client's customer database.
> > "But I don't want to give out that information, it is worth it's weight in
> gold."
> > I replied "Who ever has control over the web site has access to all the
> information.
> > As time goes by, even without the current database, in a few years
> > as renewals accrue all the subscribers will be in the web database."
> > Client said "But it is going to be a SECURE web site."
> > I said, "Yes, secure to anyone that does NOT have access to the web pages
> and DB."
> > The web programmer involved is a friend of the person the client
> contracted with.
> > And client thinks that person is also the ISP.
> >
> > Does anyone know of any way that a web site with SQL Server DB can be made
> > secure from the webmaster that created it?
> > A "secure" web site uses HTTPS/SSL encrypt the HTTP messages to and from
> the server
> > acting at the Presentation level of the socket software to prevent access
> > from outside the server, but not that the server DB would be encrypted.
> > I presume that data in SQLServer, or whatever DB is used can be encrypted.
> > But what happens to the data as it is tranmsitted to and from the DB to
> SSL?
> >
> > Or one could not have a server DB at all and just have encrypted emails
> > sent to the client's office system - not efficient, but possible.
> >
> > But I don't see that there could be any way to completely encrypt that
> data
> > in a way that the web site programmer or ISP would not have access to it.
> > Am I wrong?
> >
> > I have advised the client to arrange for a third disinterested party to do
> the web site.
> >
> >
>
>

Relevant Pages

  • Re: Can web site data be protected from access by the webmasters?
    ... > little about web site design or internet security. ... > Canceling a contract can be an expensive hassle. ... > The client contacted me after the fact of contract signing. ... SSL does nothing but encrypt the stream ...
    (microsoft.public.sqlserver.security)
  • Re: Can web site data be protected from access by the webmasters?
    ... you need to encrypt the data in the database. ... just cancel the contract. ... >> The client contacted me after the fact of contract signing. ... but db_owner can change the permissions. ...
    (microsoft.public.sqlserver.security)
  • Re: Can web site data be protected from access by the webmasters?
    ... > I have advised the client to be wary of security. ... > I replied "Who ever has control over the web site has access to all the ... > Does anyone know of any way that a web site with SQL Server DB can be made ... > But I don't see that there could be any way to completely encrypt that ...
    (microsoft.public.sqlserver.security)
  • Can web site data be protected from access by the webmasters?
    ... One of my client's was interested in a web site and has contracted with someone to do it. ... The person doing the site for the client is in the same industry as the client's. ... A "secure" web site uses HTTPS/SSL encrypt the HTTP messages to and from the server ...
    (microsoft.public.sqlserver.security)
  • Re: Building Contract. Please help.
    ... we do think the client has cohersed us into doing ... <pasting of contract wording> ... This quotation is a fixed price for the works to completion. ... Central pendant light fitting. ...
    (uk.legal)