0

I'm pretty sure similar questions have been asked around the net but I couldn't really find a satisfying answer. In general I plan to build a shared java application that has a secret token that is being used for authentication towards the discord API. I do not want to setup or do not want to use a sophisticated server environment on my side.

I would summarize the methods I have taken a closer look into as the following:

  • use any sort of encryption/decryption -> would shift the problem into "how to I keep my password for decryption secure" or where do I store my public/private key stuff without having an own infrastructure
  • use any sort of self hosted infrastructure -> nope do not want that
  • using any sort of database -> whats the benefit if its not in a different infrastructure
  • oAuth - doesn't work without proper authentication
  • obfuscation - doesn't provide any sort of additional protection just would increase the time to find the secret

Is there any general approach of actually making a shared secret secure inside a shared java application? Even when considering that all web-trafic can be captured (wireshark), Connections could potentially be redirected to localhost (add my server to the hosts), Obfuscation can be deobfuscated, ....

Thanks,

user7890667
  • 13
  • 1
  • 1
    *Is there any general approach of actually making a shared secret secure inside a shared java application?* **no**. One word answers aren't very satisfying, but there you go. – Elliott Frisch Nov 18 '17 at 01:50
  • Unfortunately, you are likely to be satisfied by this ... or a 1,000 word answer that says the same thing. But there is nothing we can do about that. What you are looking for is something that doesn't exist. – Stephen C Nov 18 '17 at 02:10
  • P.S. If you do find some "solution" that claims to provide a secure way to do this, ask an expert to validate those claims or ... more likely ... point out the flaws. – Stephen C Nov 18 '17 at 04:08

0 Answers0