Offline security
1 view
Skip to first unread message
no-jo
Apr 20, 2008, 12:53:40 AM4/20/08
to Google Gears
Has anyone worked out some method for securing offline activlties?
Since anyone can freeze, debug, etc. their machine.... there would
have to be some real trickery to get some decently secure offline
quizzing and such.
I can picture a provably secure architecture.... but 1) I can't
picture much usually, and 2) there must be something approaching
secure-ness that can be done, regardless.
I work for a university and tests, etc are ripe for highly motivating
technical students to get in and muck around :)
Since anyone can freeze, debug, etc. their machine.... there would
have to be some real trickery to get some decently secure offline
quizzing and such.
I can picture a provably secure architecture.... but 1) I can't
picture much usually, and 2) there must be something approaching
secure-ness that can be done, regardless.
I work for a university and tests, etc are ripe for highly motivating
technical students to get in and muck around :)
sobolanul
Apr 22, 2008, 10:42:48 AM4/22/08
to Google Gears
I think is impossible to develop a a secure offline application. As
long as data are on my computer I am 100% sure that I can retrieve
them. Even using fancy algorithms to crypt the content of the local DB
and obfuscate the js code, in the wort case I will get the gears
source code (are public as I know) and I will compile my own gears
addon to read the locally stored data.
What is best that you can do is to store locally only local inserted
data and any "interpreting" of the data to be done after coming back
online. If you store the quiz correct answers locally, you have no
chance to keep them secret.
long as data are on my computer I am 100% sure that I can retrieve
them. Even using fancy algorithms to crypt the content of the local DB
and obfuscate the js code, in the wort case I will get the gears
source code (are public as I know) and I will compile my own gears
addon to read the locally stored data.
What is best that you can do is to store locally only local inserted
data and any "interpreting" of the data to be done after coming back
online. If you store the quiz correct answers locally, you have no
chance to keep them secret.
John Ripley
Apr 22, 2008, 10:55:38 AM4/22/08
to google...@googlegroups.com
There's two different attack vectors being mixed up here:
1) Securing against malware with access to your computer while you're
using it (e.g unaware of a trojan).
2) Securing against someone taking your database (e.g stolen laptop).
Case 1) is pretty much impossible.
Case 2) is possible to secure against, but would require a password
every time you accessed that site (offline or otherwise). I'd be
perfectly happy with that if it were available today.
2008/4/22 sobolanul <eduard....@gmail.com>:
Chris Prince
Apr 22, 2008, 2:03:09 PM4/22/08
to google...@googlegroups.com
> Case 2) is possible to secure against, but would require a password
> every time you accessed that site (offline or otherwise). I'd be
> perfectly happy with that if it were available today.
> every time you accessed that site (offline or otherwise). I'd be
> perfectly happy with that if it were available today.
The problem is most users will choose the same offline and online
password. And the offline version can be brute-force attacked,
because the server cannot throttle incorrect attempts. So introducing
an offline password *actually* reduces security for many users. :(
Reply all
Reply to author
Forward
0 new messages