Re: When to encrypt - Mailing list pgsql-general

From gnari
Subject Re: When to encrypt
Date
Msg-id 004401c4db6c$0647dba0$0100000a@wp2000
Whole thread Raw
In response to When to encrypt  (Derek Fountain <dflists@iinet.net.au>)
List pgsql-general
From: "Derek Fountain" <dflists@iinet.net.au>

> [snip discussion about encrypting data]

> Indeed, but I'm still interested in the general answer. The server I have
been
> looking at was hopelessly insecure and SQL injection is only one of its
> problems. There were several other ways in! Assume, for example, an
attacker
> can write his own script directly into the website document tree. In this
> case prepared queries don't help protect what's in the database. The
attacker
> can use them himself if he likes!

For encrypted data to be usable by the website, the keys must be available
by, either in the database or in the scripts themselves. If the attacker
can write his own scripts into the document tree, these keys will be
available to him as well.

gnari




pgsql-general by date:

Previous
From: "Rolf Østvik"
Date:
Subject: Re: 3rd RFD: comp.databases.postgresql (was:
Next
From: Richard Huxton
Date:
Subject: Re: Older Windows versions