Encrypted Logging in python

Discussion in 'Python' started by koranthala@gmail.com, Jan 9, 2009.

  1. Guest

    I was wondering if there is a mechanism to encrypt logging
    automatically in python.
    The issue is as follows:
    (a) An application (after py2exe) will go as executable and there
    is no need for the user to know that it is written in python. If an
    exception occurs and it is logged, then the user can understand it is
    written in python.
    (b) A security threat. If an exception occurs, the code is seen by
    the user - and possibly be misused.

    Base64 encoding somewhat helps - which is supported by logging
    module - but even that is not very secure. If there can be an option -
    wherein we send in the password and the logging is encrypted - it
    might be better.
    I would have loved to provide the code, but I am completely tied up
    at the moment and wont be able to help for another month.
     
    , Jan 9, 2009
    #1
    1. Advertising

  2. On Fri, 09 Jan 2009 00:21:09 -0800, koranthala wrote:

    > I was wondering if there is a mechanism to encrypt logging automatically
    > in python.
    > The issue is as follows:
    > (a) An application (after py2exe) will go as executable and there
    > is no need for the user to know that it is written in python. If an
    > exception occurs and it is logged, then the user can understand it is
    > written in python.
    > (b) A security threat. If an exception occurs, the code is seen by
    > the user - and possibly be misused.


    Security by obscurity is not security. If your application isn't secure
    against people who know what language is written in, then it isn't secure.




    --
    Steven
     
    Steven D'Aprano, Jan 9, 2009
    #2
    1. Advertising

  3. Guest

    On Jan 9, 3:16 pm, Steven D'Aprano <st...@REMOVE-THIS-
    cybersource.com.au> wrote:
    > On Fri, 09 Jan 2009 00:21:09 -0800, koranthala wrote:
    > > I was wondering if there is a mechanism to encrypt logging automatically
    > > in python.
    > >    The issue is as follows:
    > >     (a) An application (after py2exe) will go as executable and there
    > > is no need for the user to know that it is written in python. If an
    > > exception occurs and it is logged, then the user can understand it is
    > > written in python.
    > >     (b) A security threat. If an exception occurs, the code is seen by
    > > the user - and possibly be misused.

    >
    > Security by obscurity is not security. If your application isn't secure
    > against people who know what language is written in, then it isn't secure..
    >
    > --
    > Steven


    I understand that completely.
    My point is that even though I can try to make the application
    completely secure - I can never be sure of that. Especially if your
    company is a very small one - and might not be able to have the best
    programmers around. So, another layer of security - even security
    through obscurity - can give that bit extra time in which the bugs in
    the system can be ironed out.

    Also, what I am asking is a generic option in logging - which can help
    the adoption of the logging framework in even closed source systems.
    It is not just about security - just that a closed source company
    might be much more comfortable in using the system if crypt is there.
     
    , Jan 9, 2009
    #3
  4. Guest

    On Jan 9, 8:02 am, wrote:
    > Also, what I am asking is a generic option in logging - which can help
    > the adoption of the logging framework in even closed source systems.
    > It is not just about security - just that a closed source company
    > might be much more comfortable in using the system if crypt is there.


    Python is an open source project. Many people that read this list
    don't like closed source code too much and are not willing to invest
    time to work in features like this. You might get lucky and somebody
    that is interested in the topic might give you some tips.
     
    , Jan 9, 2009
    #4
  5. wrote:
    > I was wondering if there is a mechanism to encrypt logging
    > automatically in python.


    Python's standard library doesn't include any "strong" symmetric
    ciphers. But if you include for example a cryptographic module for AES,
    for example, it should be easy (I guess 10 lines of code, yes, the issue
    always is *which* 10 lines) to write a custom logger that encrypts using
    a hardcoded key.

    As others have said, this is not really secure, so you could just as
    well use something stupid like rot13 or base64 instead.

    > The issue is as follows:
    > (a) An application (after py2exe) will go as executable and there
    > is no need for the user to know that it is written in python. If an
    > exception occurs and it is logged, then the user can understand it is
    > written in python.


    In 99.326 % of all cases, the answer is: so what?

    > (b) A security threat. If an exception occurs, the code is seen by
    > the user - and possibly be misused.


    Simply make the user not see the exception, but use a fallback exception
    handler that does whatever you want to. Write to a log file. Or write to
    an encrypted log file if you still think that helps.

    > Base64 encoding somewhat helps - which is supported by logging
    > module - but even that is not very secure. If there can be an option -
    > wherein we send in the password and the logging is encrypted - it
    > might be better. [...]


    As I said before, that should be trivial to program if you look up the
    documentation about the logging module. Just subclass FileHandler. And
    make sure your class is then used. That's probably the hardest part ;-)

    That all being said, I have one final advise: Your time is probably much
    better spent on *real* issues.

    -- Gerhard
     
    Gerhard Häring, Jan 9, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stefan Siegl
    Replies:
    0
    Views:
    985
    Stefan Siegl
    Aug 27, 2003
  2. janne
    Replies:
    0
    Views:
    9,613
    janne
    Sep 10, 2004
  3. Christoph Haas
    Replies:
    0
    Views:
    481
    Christoph Haas
    Jun 12, 2006
  4. Christoph Haas
    Replies:
    1
    Views:
    485
    Vinay Sajip
    Jun 14, 2006
  5. johnny
    Replies:
    1
    Views:
    672
    Dennis Lee Bieber
    Dec 12, 2006
Loading...

Share This Page