<<< Date Index >>>     <<< Thread Index >>>

RE: Cracking String Encryption in Java Obfuscated Bytecode



Jim,

With all respect, I (partially) disagree with you:

> With respect, I disagree from a Java perspective.
> 
> 1) If you are deploying Java on the server you are protected 
> by so many layers, code obfuscation is not critical

True, but there are more reasons than just security for using obfuscation -
reducing (but not eliminating!) the risk of reverse engineering, protection
of intellectual property, etc.  So if you're saying "code obfuscation is not
critical FOR SECURITY" I agree, but not necessarily for other reasons.

> 2) If you are deploying Java Applets for enterprise 
> applications, you are nuts. They are inherently insecure and 
> Java applets have a long history of critical problems.

Well, this is true - but it's the wrong reason.  As just about everyone on
this list knows, relying on the client side to do security enforcement is
inherently a losing proposition.  And obfuscating the bytecode doesn't make
client-side enforcement any more secure.

--Jeremy