RE: Cracking String Encryption in Java Obfuscated Bytecode

To: Jim Manico <jim@xxxxxxxxxx>, subere@xxxxxxxxx
Subject: RE: Cracking String Encryption in Java Obfuscated Bytecode
From: Jeremy Epstein <jeremy.epstein@xxxxxxxxxxxxxx>
Date: Mon, 27 Nov 2006 06:49:49 -0800
Cc: bugtraq@xxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Jim,

With all respect, I (partially) disagree with you:

> With respect, I disagree from a Java perspective.
> 
> 1) If you are deploying Java on the server you are protected 
> by so many layers, code obfuscation is not critical

True, but there are more reasons than just security for using obfuscation -
reducing (but not eliminating!) the risk of reverse engineering, protection
of intellectual property, etc.  So if you're saying "code obfuscation is not
critical FOR SECURITY" I agree, but not necessarily for other reasons.

> 2) If you are deploying Java Applets for enterprise 
> applications, you are nuts. They are inherently insecure and 
> Java applets have a long history of critical problems.

Well, this is true - but it's the wrong reason.  As just about everyone on
this list knows, relying on the client side to do security enforcement is
inherently a losing proposition.  And obfuscating the bytecode doesn't make
client-side enforcement any more secure.

--Jeremy

Prev by Date: Re: New Flaw in Firefox 2.0: DoS and possible remote code execution
Next by Date: 2nd European Conference on Computer Network Defense (EC2ND)
Previous by thread: Re: Cracking String Encryption in Java Obfuscated Bytecode
Next by thread: Cross site scripting & fullpath disclosure
Index(es):
- Date
- Thread