Bugtraq mailing list archives
Re: Cracking String Encryption in Java Obfuscated Bytecode
From: John GALLET <john.gallet () wanadoo fr>
Date: Fri, 24 Nov 2006 17:24:38 +0100 (CET)
Hi,
1) If you are deploying Java on the server you are protected by so many layers, code obfuscation is not critical
If you want to distribute your app without people getting access to the code itself, being on client or server is not relevant. Whatever the reason for wanting to do so.
2) If you are deploying Java Applets for enterprise applications, you are nuts. They are inherently insecure and Java applets have a long history of critical problems.
So have cookies and javascript based web applications. Yet cookies are used everywhere for anything/everything and "ajax" is the new big boy in town. It is not because something is insecure that people don't use it in the real world, not the perfect secure one. You would be amazed of how many times I heard "it's useless to check again the data on the [php|java|asp|perl] side, we already did it in JS" or "why add a java middle-tier server side, we can obfuscate the jar file and have the client PC talk directly to the database" (yeah sure, I'll make a public, unencrypted, access for you guys).
From a security *threat* point of view, I agree that we could/should more
of these issues.
With the continuous move towards bytecode type of languages (with java and .NET being the prime examples)
Same goes with PHP BTW. JG
Current thread:
- Cracking String Encryption in Java Obfuscated Bytecode subere (Nov 23)
- Re: Cracking String Encryption in Java Obfuscated Bytecode Jim Manico (Nov 24)
- Re: Cracking String Encryption in Java Obfuscated Bytecode John GALLET (Nov 24)
- <Possible follow-ups>
- RE: Cracking String Encryption in Java Obfuscated Bytecode Jeremy Epstein (Nov 27)
- Re: Cracking String Encryption in Java Obfuscated Bytecode Jim Manico (Nov 24)