6 messages in com.googlegroups.google-chart-apiRe: Security for Corporate Use
FromSent OnAttachments
Alex17 Jun 2008 18:29 
mickaxl18 Jun 2008 14:27 
JMan18 Jun 2008 15:51 
Brett L. Scott19 Jun 2008 08:39 
Alex19 Jun 2008 16:22 
Alex19 Jun 2008 16:27 
Subject:Re: Security for Corporate Use
From:Alex (alex@aruspex.com)
Date:06/19/2008 04:27:35 PM
List:com.googlegroups.google-chart-api

Thanks Brett, just read your post after my last.

Agree with your assessment of encryption's crackability (with enough time, resources, and drive). I think many corporate users (and certainly my clients) would be more comfortable with *some* encryption rather than none. Certainly that doesn't mean it's *totally* secure, but it does mean that casual hackers aren't going to get at it... someone's going to need to make a real effort....

My 2 cents this time (again), now I'm up to $0.06

Cheers

On Jun 20, 1:40 am, "Brett L. Scott" <blsc@livesquare.com> wrote:

I am in the security consulting space.

It is important to note that the concept of security through obscurity is now dead.  The latest wave of botnets attempt to hack everybody.  Therefore those who said their companies were protected because they were "small fish" got a rude awakening.  Do not rely on security through obscurity.

The concept of sniffing someone's network traffic is old hat.  However is less likely to happen in an individual circumstance.   It is important to note that if your traffic is being sniffed and recorded then it really does not matter how you are protecting it (calm down encryption guys), it can be broken down and read.   The encryption guys will disagree with me, but with the advancement of large scale botnets, decryption is getting very easy.  An example of this is that Kapersky Labs, a security company, is helping a company whose data has been encrypted with a 1024 bit key.  Most would say that this size encryption key would take well over 100 years to crack.   I am betting that this is cracked before the end of this year.

To the idea that encoded data is safer than other data;  consider the fact that many people already use the Google API, therefore if you write code to decode google API data then you have a large list of potential victims.  It is well worth someone's time to look for and decode Google API encoded data.

I recommend that you carefully consider what data you are charting and take a practical look at how "sensitive" it really is.  For example, if you are a public company, does this information already get published?  Does anyone else in the company print and or share this information with third parties already?  Does the information truly place your company's profit, security, market competitiveness into jeopardy?  Do you even have to transmit the "sensitive" data?  For example, could you use colored lines on the chart and a legend that originates from your internal application?

Using the Google API means that you are disclosing data to Google.  They may have no need for it, but you are giving it to them.  If the risk is too high to disclose over the Internet, purchase a charting library and support a hungry programmer.

My $0.02

Brett L. Scott Live Square Security Teamwww.livesquaresecurity.com blsc@livesquare.com

-----Original Message----- From: goog@googlegroups.com

[mailto:goog@googlegroups.com] On Behalf Of JMan Sent: Wednesday, June 18, 2008 3:51 PM To: Google Chart API Subject: Re: Security for Corporate Use

All,

I am not a security expert, but...

Once you submit your URL, the data embedded within that URL will be transmitted as clear text over the Internet. It is then almost trivial to intercept and decode your information contained within that URL. The simple or extended data encoding is trivial to decode as well.

-Julienhttp://gchartjava.googlecode.com/

On Jun 18, 3:28 pm, mickaxl <mick@netscape.net> wrote:

I too am attempting to promote its use at my current contract client and todate no real security issues have emerged. At first people were suspicious of the idea that data would be passed and stored on google servers but since the "data" is effectively redacted or encoded (what does chd=s:ATb19 mean anyway) that was soon put to rest.

Our biggest impediment is access not security, right now at least, since many of our users work on sites scattered through out the US and quite a few do not have internet access on site.

On Jun 17, 6:29 pm, Alex <alex@aruspex.com> wrote:

Hi There

Wondering if anyone has any concerns about the security of this API when using it for corporate applications?  I am thinking of using it in a corporate app, but may be returning some semi-confidential information to a secure website (SSL encrypted and password / SAML protected).  Just wondering if anyone has any thoughts on the implications of this for security of information.

Thanks Alex

[ScottNet EOM: AAAAAFPYDO]- Hide quoted text -

- Show quoted text -

--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups
"Google Chart API" group. To post to this group, send email to goog@googlegroups.com To unsubscribe from this group, send email to
goog@googlegroups.com For more options, visit this group at
http://groups.google.com/group/google-chart-api?hl=en -~----------~----~----~----~------~----~------~--~---