I'm looking for some more input on an issue I have with an XML encryption library, Santuario. First off, love the library, but opened this issue and getting some resistance.<p>The library logs in DEBUG level decrypted content and I believe this should be removed and is a security concern. Can anyone give their insight?<p>https://issues.apache.org/jira/browse/SANTUARIO-413<p>EDIT: Here is some more clarification on a use case:<p>To understand the concern please read the following example (let's pretend its an app running on Android):
Security is all about layers – changing a log4j.properties file is orders of magnitude easier than reverse engineering a Java library and extracting an AES key that has been obfuscated before being placed in the code, for example. I'd prefer to stop people from seeing decrypted content just by modifying the log4j and changing it to DEBUG.
I'm not really sure it is a valid security concern. Putting any application in debug mode is going to expose a lot of information (even decrypted) to users. It's kind of assumed that you'll never be using debug mode in production.<p>A notification is warranted, though, "Hey you should probably not use this in production."
In DEBUG level it is fine to log decrypted content, it is not a security concern, and is quite welcome.<p>If you're using DEBUG level logging in production, that is the security concern. The functionality isn't.<p>The argument "what if the bad guy can change the logging level?!" is pretty weak, if such a person could change such a thing, they could also change a lot of even worse things and likely make that just the tip of the iceberg.<p>Seems like your mental model of the security is a little off. If the system is compromised your Java XML encryption library isn't going to save you, in particular as you have to be storing the private keys on the same system.
It's a concern, yes, but also useful functionality. Two examples from other software: OpenSSH AFAIR logs every keystroke when in high enough log levels (and accordingly warns that using DEBUG1-DEBUG3 log levels violates user privacy). Postfix will log user passwords if asked to do so.<p>Having multiple levels of DEBUG like OpenSSH or extra options like postfix probably is a good idea, and as is printing an explicit warning if started with such log levels.