Protobuf doesn't actually use base-64 *at all*. And base-64 (and other
encodings) **are not security features**; they are not intended to be
secure or insecure - that simply is an unrelated concern. I suspect any use
of base-64 here is simply because protobuf is binary and cookies are text,
and base-64 is a fair way of storing arbitrary binary as text.

If you want to encrypt your data, that is something you should do
separately. Protobuf supports binary fields, which should work fine for
encrypted data (most encryption schemes result in binary payloads).
Frankly, though, I would normally advise *against* your current approach:
if the client can't access the data (because it is encrypted), *why are you
sending it to them on every request?* A better approach IMO is to just give
them an opaque token representing their session, and keep the real data
inside your control. The client can't decrypt or spoof data that *they
never have, and that they never submit*.

Marc


On 26 June 2014 22:19, Venkat Rangan <ven...@clari.com> wrote:

> Hi,
>
> A security review of my application turned up the following.
>
>
>   Application uses Protocol Buffer (protobuff) for their web sessions,
> but it is encoded only on base64. Cookies should be protected using an
> encryption protocol with unique keys for each cookie and/or a secure
> session method. Note: It is a server-side issue, the application is
> vulnerable because an attacker could obtain such encoded session data and
> easily decrypt it.
>
> How does one encode cookies using something other than base64, while still
> using protobuf?
>
> Thanks,
>
> venkat
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Protocol Buffers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to protobuf+unsubscr...@googlegroups.com.
> To post to this group, send email to protobuf@googlegroups.com.
> Visit this group at http://groups.google.com/group/protobuf.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Regards,

Marc

-- 
You received this message because you are subscribed to the Google Groups 
"Protocol Buffers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to protobuf+unsubscr...@googlegroups.com.
To post to this group, send email to protobuf@googlegroups.com.
Visit this group at http://groups.google.com/group/protobuf.
For more options, visit https://groups.google.com/d/optout.

Reply via email to