[WEB SECURITY] Encrypting Client Data
conrad at tivano.de
Fri Jun 10 03:36:50 EDT 2011
Am Donnerstag, 9. Juni 2011 schrieb Justin Scott:
> they log out or their session times out, the key data would be removed
> from memory (as an aside, the app is built on a Java virtual machine
> so the usual memory garbage collection methods in Java would apply,
> and we can zero over the data before closing their session as well).
> So, given this information, can you think of anything that we've
> missed? Any other risk factors we should consider?
talking about java garbage collection: the garbage collector copies
long-lived objects between heap regions during their lifetime
for a detailed explanation). So zeroing over the data will not
really help (but doesn't hurt, of course).
Also, if you're planning a clustered application with session
replication you'll be transmitting the unprotected keys across
Tivano Software GmbH
Tel: 06102 / 8099070
Fax: 06102 / 8099071
HRB 11680, AG Offenbach/Main
Geschäftsführer: Martin Apel
More information about the websecurity