Also worth noting: an extensively developed [Citation Needed], open source, java obfu tool (proguard) considers even proper String encryption to have such little value as to not include it.
http://proguard.sourceforge.net/#FAQ.html On Mon, Jul 8, 2013 at 6:26 PM, Mark Thomas <ma...@apache.org> wrote: > "Roger L. Whitcomb" <roger.whitc...@actian.com> wrote: > > >I had a thought that it would be more secure to pass password data > >around in VFS as byte arrays instead of String objects so they could > >less easily be found by memory dumpers/scanners. This would apply (for > >instance) to GenericFileName constructor and access methods, etc. > >Obviously, at some point, you have to convert to String (like in > >"GenericFileName.appendCredentials"), but it seems like at least some > >level of obfuscation, as in storing the data as bytes might be useful > >to > >increase security. > > > > > > > >Thoughts? Thanks. > > > > > > > >~Roger Whitcomb > > > >Apache Pivot PMC Chair > > <hat type="asf security team member"> > Security by obscurity is no security at all. > > It provides a trivial obstacle to an attacker, makes debugging annoyingly > harder and may fool security unaware users into thinking their system is > more secure than it really is. > > If an attacker has gained enough access scan and/or dump the memory of a > process it is aleady game over for any data passing through that process > unless a) the data is strongly encrypted and b) the process does not ever > have access to the decryption key. > </hat> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
