Encrypted Logging in python

[koranthala]

I was wondering if there is a mechanism to encrypt logging
automatically in python.
The issue is as follows:
(a) An application (after py2exe) will go as executable and there
is no need for the user to know that it is written in python. If an
exception occurs and it is logged, then the user can understand it is
written in python.
(b) A security threat. If an exception occurs, the code is seen by
the user - and possibly be misused.

Base64 encoding somewhat helps - which is supported by logging
module - but even that is not very secure. If there can be an option -
wherein we send in the password and the logging is encrypted - it
might be better.
I would have loved to provide the code, but I am completely tied up
at the moment and wont be able to help for another month.

 

[Steven D'Aprano]

I was wondering if there is a mechanism to encrypt logging automatically
in python.
The issue is as follows:
(a) An application (after py2exe) will go as executable and there
is no need for the user to know that it is written in python. If an
exception occurs and it is logged, then the user can understand it is
written in python.
(b) A security threat. If an exception occurs, the code is seen by
the user - and possibly be misused.

Security by obscurity is not security. If your application isn't secure
against people who know what language is written in, then it isn't secure.

 

[koranthala]

Security by obscurity is not security. If your application isn't secure
against people who know what language is written in, then it isn't secure..

I understand that completely.
My point is that even though I can try to make the application
completely secure - I can never be sure of that. Especially if your
company is a very small one - and might not be able to have the best
programmers around. So, another layer of security - even security
through obscurity - can give that bit extra time in which the bugs in
the system can be ironed out.

Also, what I am asking is a generic option in logging - which can help
the adoption of the logging framework in even closed source systems.
It is not just about security - just that a closed source company
might be much more comfortable in using the system if crypt is there.

 

[pruebauno]

Also, what I am asking is a generic option in logging - which can help
the adoption of the logging framework in even closed source systems.
It is not just about security - just that a closed source company
might be much more comfortable in using the system if crypt is there.

Python is an open source project. Many people that read this list
don't like closed source code too much and are not willing to invest
time to work in features like this. You might get lucky and somebody
that is interested in the topic might give you some tips.

 

[Gerhard Häring]

I was wondering if there is a mechanism to encrypt logging
automatically in python.

Python's standard library doesn't include any "strong" symmetric
ciphers. But if you include for example a cryptographic module for AES,
for example, it should be easy (I guess 10 lines of code, yes, the issue
always is *which* 10 lines) to write a custom logger that encrypts using
a hardcoded key.

As others have said, this is not really secure, so you could just as
well use something stupid like rot13 or base64 instead.

The issue is as follows:
(a) An application (after py2exe) will go as executable and there
is no need for the user to know that it is written in python. If an
exception occurs and it is logged, then the user can understand it is
written in python.

In 99.326 % of all cases, the answer is: so what?

(b) A security threat. If an exception occurs, the code is seen by
the user - and possibly be misused.

Simply make the user not see the exception, but use a fallback exception
handler that does whatever you want to. Write to a log file. Or write to
an encrypted log file if you still think that helps.

Base64 encoding somewhat helps - which is supported by logging
module - but even that is not very secure. If there can be an option -
wherein we send in the password and the logging is encrypted - it
might be better. [...]

As I said before, that should be trivial to program if you look up the
documentation about the logging module. Just subclass FileHandler. And
make sure your class is then used. That's probably the hardest part ;-)

That all being said, I have one final advise: Your time is probably much
better spent on *real* issues.

-- Gerhard