FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Magic quotes? Should I still be cautious?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Magic quotes? Should I still be cautious? [message #176613 is a reply to message #176607] Wed, 11 January 2012 14:43 Go to previous messageGo to previous message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma:
Senior Member
The Natural Philosopher, 2012-01-11 12:53:

> Arno Welzel wrote:
>> Jerry Stuckle, 2012-01-08 21:59:
>>
>> [...]
>>> I do other things also, but don't want to get into too much detail in a
>>> public forum.
>>
>> "Security by obscurity" does not work.
>
> actually it does. It is the basis for all passwords for example.

I did'nt talk about passwords m( but *procedures*. And a secret password
is not "security by obscurity".

In cryptography this is the most important principle: Keep the password
or private key as a secret but not the procedure - and cryptographic
procedures which are not documented have to be considered insecure.

If you say "i do something in my application to keep it secure, but i
won't tell anybody what this is - because if i would, a hacker could use
this information to attack my application" - then your procedure is
flawed, since you risk that the whole thing may fail as soon as someone
find's out, how it works.

I procedure has to be secure *even* when everybody knows how it works.

For example: A packet filter in Linux is also not secure because nobody
knows how it works.

Or another example: A user database must never store plain text
passwords but only in an encrypted form - but the procedure of the
encryption must be documented. Otherwise you never will know, if there
are flaws in the procedure which are already used by attackers. And if
you are not an expert in cryptography don't even think about creating
your own "secure" encryption - and the same often also applies to code
which is considered to be "secure" against attacks.

> If your security only relies on
>> the fact, that you try to keep the procedures or code a secret, it is
>> flawed.


--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Lilupophilupop
Next Topic: [WSP] CALL FOR PAPERS [FREE]
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Nov 25 20:57:26 GMT 2024

Total time taken to generate the page: 0.05119 seconds