A huge amount of personal informations will be stored
in the database of this project. Therefore it is
absolutely prior and necessary to build this system as
secure as possible. Some people would pay a lot of
money to have the ability to use these datas.
The security concept divides into the following 3 subjects:
* Security of the User Computer
* Security of the way the datas were transmitted via Web
* Security of the datas in the database
Security of the User Computer
Although we can't see exactly how secure a Client
Computer is, we have several options to know a bit more
than nothing - and we should use ist to inform the User
about possivle security leaks (http://www.port-scan.de/
is a good idea to follow).
Security of the way the datas were transmitted via Web
Okay, there is HTTPS of course, and this MUST be used
without the possibility to change that. No choice will
be given.
But perhaps this is not secure enough - and perhaps YOU
know additional features that can improve the security
in this sensible phase which have nearly no effect on
the convenience.
Security of the datas in the database
Well, this is of course the biggest part. Linux, of
course, is recommended as Platform. But a Weapon is
useless when you can't fight with it. So these are a
few possible ideas to follow:
* Sessions
* Consequent use of database rights
* Consequent use of file rights
* Consequent use of apache rights
* automated Backups
* Using of strategies of Adamantix, SELinux, Trustix,
hardened Gentoo?
* Other strategies (feel free to post some at the lists
or at blanckenhorn@users.sourceforge.net)
Dirk Blanckenhorn