With all respect, I (partially) disagree with you:
> With respect, I disagree from a Java perspective.
>
> 1) If you are deploying Java on the server you are protected
> by so many layers, code obfuscation is not critical
True, but there are more reasons than just security for using obfuscation -
reducing (but not eliminating!) the risk of reverse engineering, protection
of intellectual property, etc. So if you're saying "code obfuscation is not
critical FOR SECURITY" I agree, but not necessarily for other reasons.
> 2) If you are deploying Java Applets for enterprise
> applications, you are nuts. They are inherently insecure and
> Java applets have a long history of critical problems.
Well, this is true - but it's the wrong reason. As just about everyone on
this list knows, relying on the client side to do security enforcement is
inherently a losing proposition. And obfuscating the bytecode doesn't make
client-side enforcement any more secure.
With all respect, I (partially) disagree with you:
> With respect, I disagree from a Java perspective.
>
> 1) If you are deploying Java on the server you are protected
> by so many layers, code obfuscation is not critical
True, but there are more reasons than just security for using obfuscation -
reducing (but not eliminating!) the risk of reverse engineering, protection
of intellectual property, etc. So if you're saying "code obfuscation is not
critical FOR SECURITY" I agree, but not necessarily for other reasons.
> 2) If you are deploying Java Applets for enterprise
> applications, you are nuts. They are inherently insecure and
> Java applets have a long history of critical problems.
Well, this is true - but it's the wrong reason. As just about everyone on
this list knows, relying on the client side to do security enforcement is
inherently a losing proposition. And obfuscating the bytecode doesn't make
client-side enforcement any more secure.
--Jeremy
[ reply ]