Advanced security questions
Moderator: General Moderators
- volomike
- Forum Regular
- Posts: 633
- Joined: Wed Jan 16, 2008 9:04 am
- Location: Myrtle Beach, South Carolina, USA
Re: Advanced security questions
Or just switch to PostgreSQL.
Re: Advanced security questions
What is the advantage there? Can it create full-text indexes for encrypted columns, without exposing the data?volomike wrote:Or just switch to PostgreSQL.
Re: Advanced security questions
Full-text indices do leak information about the document. There is no (to my knowledge) support for FT indexing of encrypted text, but any alternative solution you may come to will still suffer from this (inherent to the indexing process) information leakage. Be sure that you know how to deal with it - limit the access to the search functionality only to the document owner, create "personal" search indices which are also encrypted with the owner key, etc.Can it create full-text indexes for encrypted columns, without exposing the data?
Otherwise getting hold of your FT index will let the attacker know which documents (belonging to which users) contain "bomb", "plane", "smurf the government", "<insert deity> akbar", etc.
There's always a balance between security and usability, make your choice on which of the two sides to lean.
Re: Advanced security questions
Good information. I was figured indicies had to leak some of the data and you have confirmed that. However, a light bulb went off when you said this:
THANK YOU!
This sounds like a great solution. I was looking at some of the tools I have been pointed to for maintaining my own indexes, and I'm sure I could come up with a way to create and maintain indexes for my users, then serialize and store their personal index in the database (encrypted of course), allowing me to offer fast search without breaking security.Mordred wrote:...create "personal" search indices which are also encrypted with the owner key
THANK YOU!
-
aschlosberg
- Forum Newbie
- Posts: 24
- Joined: Fri Jan 23, 2009 10:17 pm
Re: Advanced security questions
Not sure if anyone has pointed this out but you have an XSS vulnerability in the way you display the username. Try logging in with the username <script>alert(1);</script> - you can execute any Javascript that you want to.
EDIT: XSS - http://en.wikipedia.org/wiki/Cross-site_scripting
EDIT: XSS - http://en.wikipedia.org/wiki/Cross-site_scripting