good chemistry is complicated, and a little bit messy -LW |
|
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
sections in the config file to store sensitive content that must be encrypted ie the connection string and must be decrypted by the application. This may give you a warm fuzzy feeling that you have used encryption and so everything simply just must be safe. But this is just a little annoyance for anyone trying to get the data: The application must contain the decryption code, and it must contain the decryption key. Both can be extracted, and with the addition of a few simple print statements, you can see the "protected" information in plain text. If the decryption code is burried in the runtime environment, things become even easier for an attacker: Just find the key, call the runtime environment's decryption routine in your own ten line script, and print what it returns when processing the "protected" information. Oh, and I almost forgot: How does it help to encrypt information in a config file that are afterwards transmitted in clear through the network, e.g. when connecting to a MySQL or FTP server? Alexander
-- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-) In reply to Re^2: Where should I have configuration information in a file or database
by afoken
|
|