Hi all,
Where a new very useful an easy to use way of Encryption/Decryption of your data.
Visit https://www.jmasters.info:8443/jcrypt/ site for more details.
Alex Bromberg wrote:Hi all,
Where a new very useful an easy to use way of Encryption/Decryption of your data.
Visit https://www.jmasters.info:8443/jcrypt/ site for more details.
Sorry to be negative but your site does not say what algorithms are used and the statement 'The service uses a complex random data manipulation algorithms to provide a very high level of encryption and still fast and with low "encrypted data/row data" ratio' sounds just like techno-babble. The whole smells of snake oil - http://www.interhack.net/people/cmcurtin/snake-oil-faq.html .
I don't know much about encryption or web service calls...
But does this send my plaintext to your server, then you send back the ciphertext? Doesn't that open up security holes?
I mean, it would be like me handing a copy of my plaintext to some random third person who hung up a sign saying "I'll encrypt your documents for you!!!", having them encrypt it and give me a copy of that ciphertext back. How do I know they (or you) can be trusted?
Since this is a SOAP service, I advise to secure the data in transit by employing WS-Security for encryption. You may also want to set up SSL properly on port 443 on your server - gives a much more secure feeling. Kind of key for a service like this :-) (as would, I agree, information about the algorithms being used).
Alex Bromberg wrote:try it before you post any conclusions
How will trying your site out help me decide whether or not this is snake oil? Are you using the industry standard algorithms? How can I be sure that the data I send to you for encryption is not being stored in the clear on your computers or sold on? Who has access to the keys? How is this better than PGP?
Nothing on your web site and nothing you have posted here indicates that you have anything other than snake oil and anyone who uses your site to protect their data is a fool.
Ulf Dittmer wrote:Since this is a SOAP service, I advise to secure the data in transit by employing WS-Security for encryption. You may also want to set up SSL properly on port 443 on your server - gives a much more secure feeling. Kind of key for a service like this :-) (as would, I agree, information about the algorithms being used).
If I'm going to send data over to him over SSL, why can't I just use SSL to send data to where I want to send to. Security as strong as the weakest link in the system. If his encryption is legitametly stronger than SSL, then the weak point in the system is SSL. Since he is completely reliant on SSL for this service, he cannot get better than SSL
Jayesh A Lalwani wrote:If I'm going to send data over to him over SSL, why can't I just use SSL to send data to where I want to send to. Security as strong as the weakest link in the system. If his encryption is legitametly stronger than SSL, then the weak point in the system is SSL. Since he is completely reliant on SSL for this service, he cannot get better than SSL
Agreed. Putting an encryption service on the net doesn't make any sense, as encryption is needed to get data across the net .... but much more importantly ....
Alex Bromberg wrote:try it before you post any conclusions
Alex Bromberg wrote:Who told you can trust anyone in this world It;s your decision if you trust someone or not.
Engineers involved with security are probably the most paranoid people that I know. If this service is intended to become a business in the future, then you probably need better marketing slogans ...
My employer is in the business of providing SaaS for the mortgage portfolios of the banks. When we started no one was ready to take a SaaS solution, simply because they didn't want to give us the data. We had to install the software in their environments. After we built trust with couple of big banks, we started opening them up to a SaaS solution. It took us like 3-4 years. When we moved to a SaaS solution, we started getting audited out of the yinyang. They see who has access to their data. The people who build the software have no access to data. The people who can understand the data cannot modify it without going through some auditing checkpoints. The group that has full access is very very limited, and tend to be people who don't understand the business side. On top of that the client scrubs the data before sending to us. They look at what data goes to the cloud. what data stays on the cloud. where are our passwords stored, do we lock our computers when we lock our desktops when we leave. We can't even have friggin WiFi. Oh wait we can but devices on WiFi are outside our firewall. Even the janitorial company that vaccums our floors get audited
I am pretty sure if we said "it's your decision if you trust someone or not" we would be out in the cold.
Thanks for your constructive responses it is very helpful. Probably I should review the concept of my service and rethink about ways to promote it.
More thoughts and advises will be appreciated very much.
I think if you really have some good research behind your encryption, and it is demonstrably better in some aspect than any other encryption algorithm, you need be able to articulate how you are better without giving away your trade secrets. Maybe publish some whitepapers.
Also, Encryption SaaS is not going to work, unless you have reinvented the internet. Java provides a good way of people to sell their cryptography algorithms. Look at the Provider interface in JCE. It allows you to build your own encryption and plugin to standard JCE. You can sell your encryption algorithm as a plugin.
Is there something about your encryption that it has to be done on the server? Like does it do it on the cloud or something like that? If it is, then you have to find a way to have strong encryption on the data before sending it to the server.
Jayesh A Lalwani wrote:I think if you really have some good research behind your encryption, and it is demonstrably better in some aspect than any other encryption algorithm, you need be able to articulate how you are better without giving away your trade secrets. Maybe publish some whitepapers.
I am not completely sure if I agree with this. There are many things that make encryption algorithms good, but being a "trade secret" isn't generally one of them.
All popular encryption algorithms today are completely documented -- and in many cases, the source code are provided. This allows an army, from the best scientists with a little too much free time, to hackers with way too much free time, to try to crack it. In other words, good encryption algorithms should be heavily battle tested.
Henry
Post by:autobot
no wonder he is so sad, he hasn't seen this tiny ad:
a bit of art, as a gift, that will fit in a stocking
![[Logo]](/templates/default/mobile/images/mobile-moose.gif)
It;s your decision if you trust someone or not.
