Re: When to encrypt

From: "gnari" <gnari(at)simnet(dot)is>
To: <pgsql-general(at)postgresql(dot)org>
Subject: Re: When to encrypt
Date: 2004-12-06 08:17:28
Message-ID: 004401c4db6c$0647dba0$0100000a@wp2000
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

From: "Derek Fountain" <dflists(at)iinet(dot)net(dot)au>

> [snip discussion about encrypting data]

> Indeed, but I'm still interested in the general answer. The server I have
been
> looking at was hopelessly insecure and SQL injection is only one of its
> problems. There were several other ways in! Assume, for example, an
attacker
> can write his own script directly into the website document tree. In this
> case prepared queries don't help protect what's in the database. The
attacker
> can use them himself if he likes!

For encrypted data to be usable by the website, the keys must be available
by, either in the database or in the scripts themselves. If the attacker
can write his own scripts into the document tree, these keys will be
available to him as well.

gnari

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Richard Huxton 2004-12-06 08:25:20 Re: Older Windows versions
Previous Message Michael Fuhr 2004-12-06 07:35:55 Re: DBD::PgSPI 0.02