When “Encryption” can be bad for sysadmins?
Encryption has always been a man’s best friend, but is it really true for sysadmins with encrypted applications?
Imagine this scenario, and allow me not to be – so – brief in order for non-technical people to understand the security issue.
– A PHP programmer distributes a web application.
– To protect his property from snooping eyes, he decided to encode his PHP files with something like Zend Guard, IonCube, etc.
– Unfortunately, the poor programmer missed a security vulnerability in his application.
– An attacker finds the vulnerability, of course, remember… no matter that the application is encoded, we’re talking runtime here.
– The attacker gains access to the PHP files source-code one way or another.
– The attacker is capable of decoding the encrypted content thanks to tens of freeware tools on the Internet that targets such encryption (Google: “dezend”, “zend decoder online”, …)
– The attacker needs to inject a backdoor in the system for future use to gain access in case the security vulnerability has been fixed.
This is were the security behind encryption fails.
All the attacker needs now is to decode one of the original files (for example), insert his evil shellcode among the original code, encrypt the file again and replace it on affected website.
If I’m a sysadmin (and I am :P), I would get VERY suspicious about encrypted content in one of my website pages, but that is not going to be the case if all my website content were originally encrypted by the programmer and I’m aware of that from the beginning.
How do you even trust an encrypted content on your website in the first place? What if the programmer himself originally placed a backdoor among the safe source-code? How can you tell then?
I think web masters should run this thought in their heads and think long before they accept running any encrypted stuff on their websites.
That being said, my coffee is getting cold.
Let me know what you think.