On 9/4/06, Vassilis Aggelakos <[EMAIL PROTECTED]> wrote:
Today I have another "silly" question for you.
Not a silly question. A good one.
If the source code is available to anyone what stops a "bad" guy to reveal all the cryptographic / encryption details to the internet? And if this is the case how secure can be a such database server?
It is a question of how you encrypt your data. If the client and server must generate unique keys and exchange them (in secret), then the communications are secure, even if you know the *method* they use, because you don't know the *keys*. What is does prevent is "stupid" security such as "security by obscurity." Let's say you create a SystemAdmin account "sa" for your database server, and you set its default password as "sa." If you distribute your database server source code, everyone will know your password. That would be dumb. Instead, you ship code that requires the user to create their own password on startup. Your application is secure, even if someone can read the source. Open Source encourages the use of well-known, secure means of encryption. I worry far more about closed-source software, where they may have made these kinds of dumb decisions, but I can't tell, since I can't read their source code. -- Ted Roche Ted Roche & Associates, LLC http://www.tedroche.com _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
