bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Cracking String Encryption in Java Obfuscated Bytecode

from [Jeremy Epstein] [Permanent Link][Original]
To: Jim Manico <jim@manico.net>, subere@uncon.org
Subject: RE: Cracking String Encryption in Java Obfuscated Bytecode
From: Jeremy Epstein <jeremy.epstein@webmethods.com>
Date: Mon, 27 Nov 2006 06:49:49 -0800
Cc: bugtraq@securityfocus.com
Delivered-to: sp-com-lists@consult.net
Delivered-to: bugtraq-list@securepoint.com
Delivered-to: mailing list bugtraq@securityfocus.com
Delivered-to: moderator for bugtraq@securityfocus.com
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@securityfocus.com; run by ezmlm 
Jim,

With all respect, I (partially) disagree with you:

> With respect, I disagree from a Java perspective.
> 
> 1) If you are deploying Java on the server you are protected 
> by so many layers, code obfuscation is not critical

True, but there are more reasons than just security for using obfuscation -
reducing (but not eliminating!) the risk of reverse engineering, protection
of intellectual property, etc.  So if you're saying "code obfuscation is not
critical FOR SECURITY" I agree, but not necessarily for other reasons.

> 2) If you are deploying Java Applets for enterprise 
> applications, you are nuts. They are inherently insecure and 
> Java applets have a long history of critical problems.

Well, this is true - but it's the wrong reason.  As just about everyone on
this list knows, relying on the client side to do security enforcement is
inherently a losing proposition.  And obfuscating the bytecode doesn't make
client-side enforcement any more secure.

--Jeremy
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: New Flaw in Firefox 2.0: DoS and possible remote code execution, sflist
Next by Date:  2nd European Conference on Computer Network Defense (EC2ND), Blyth A J C (AT)
Previous by Thread:  Re: Cracking String Encryption in Java Obfuscated Bytecode, John GALLET
Next by Thread:  Cross site scripting & fullpath disclosure, saudi
Indexes:  [Date] [Thread] [Top] [All Lists]