Ted,
It is a question of how you encrypt your data. If the client and
server must generate unique keys and exchange them (in secret), then
the communications are secure, even if you know the *method* they use,
because you don't know the *keys*.
Ok that's clear but if I, as a developer of MySQL for example , know that
root's SuperDifficultAndEncrypted password is stored at the registry under
HKLM\MySQL\PWD\etc. or at various registry keys or at the 154th byte of the
sample.bin file or that it is stored at 54th sector of the primary disk I
can easily gain access to the system.
The root's password is stored - encrypted somewhere in my pc if know the
place I can replace it with my encrypted form of a known password, or even
worst if I can modfy the checking routines it is really easy to do the job.
Am I missing something obvious?
Thank you
----- Original Message -----
From: "Ted Roche" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Monday, September 04, 2006 9:09 PM
Subject: Re: [NF] Open Source Rookie + Database Servers
On 9/4/06, Vassilis Aggelakos <[EMAIL PROTECTED]> wrote:
Today I have another "silly" question for you.
Not a silly question. A good one.
If the source code is available to anyone what stops a "bad" guy to
reveal
all the cryptographic / encryption details to the internet? And if this
is
the case how secure can be a such database server?
It is a question of how you encrypt your data. If the client and
server must generate unique keys and exchange them (in secret), then
the communications are secure, even if you know the *method* they use,
because you don't know the *keys*.
What is does prevent is "stupid" security such as "security by
obscurity." Let's say you create a SystemAdmin account "sa" for your
database server, and you set its default password as "sa." If you
distribute your database server source code, everyone will know your
password. That would be dumb. Instead, you ship code that requires the
user to create their own password on startup. Your application is
secure, even if someone can read the source.
Open Source encourages the use of well-known, secure means of encryption.
I worry far more about closed-source software, where they may have
made these kinds of dumb decisions, but I can't tell, since I can't
read their source code.
--
Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com
[excessive quoting removed by server]
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
