| From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
|---|---|
| To: | Paul Lambert <paul(dot)lambert(at)autoledgers(dot)com(dot)au> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: How to allow users to log on only from my application not from pgadmin |
| Date: | 2007-02-02 08:10:18 |
| Message-ID: | 20070202081018.GA9471@wolff.to |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Fri, Feb 02, 2007 at 07:20:04 +0900,
Paul Lambert <paul(dot)lambert(at)autoledgers(dot)com(dot)au> wrote:
> How?
Use a debugger.
> If it is encrypted within the source code then the only way to steal the
> credentials would be to reverse engineer the application. And if someone
> is going to do that then you can be relatively assured that they are
> going to do anything and everything to get around whatever other
> security you can offer. At which point you could send the law after them
> for breach of copyright or other such law - at least that is the case
> down here in Australia.
>
> We have an application which connects to a database in MySQL. Each user
> has their own username/password to log onto the application which does
> so through authenticating against a users table in the db. The
> application itself has hard-coded within a username/password to get the
> initial access to the database. With somewhere in the vicinity of 1,000
> people using this particular application we've not seen a case of anyone
> accessing it using anything other than our application.
I imagine most people's customers don't try to work around broken security.
The scheme you have described above is broken.
> >You want to either run the app on a computer you control
>
> It's not always feasible to host the application main on your own
> server. Depending on network distance, traffic, size of application,
> number of users etc, it could require some extremely high spec hardware
> to host and beefed up network connections. This is not possible for a
> lot of service providers out there, not to mention that those willing to
> reverse engineer the software (or run packet sniffers and decrypt
> network traffic) to get the password out of it would still find a way of
> determining the password your hosted app is using.
>
> >or have a contract
> >with the customers prohibiting them from connecting to the database other
> >than
> >by using the app.
>
> If customers access a database hosted by a service provider it is
> generally the norm to have some clauses in the contract pertaining to
> data protection and ownership making "access to provider hosted data by
> any means other than those authorised by the provider" a breach of contract.
Well, then that is really your protection. The above security by obscurity
is just a way to help keep the honest people honest.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Page | 2007-02-02 09:02:34 | Re: I "might" have found a bug on 8.2.1 win32 |
| Previous Message | David Fetter | 2007-02-02 04:32:33 | Re: Append text using Concat on an Update query |