I have a small tool I’m designing which would require a configuration file of some sort. The configuration file in my case is really more of a database, but it needs to be lightweight, and if needed the end-user should find it easily editable. However, it also will contain a lot of things in it. (depending on certain factors, could be 1Mb or more)
I’ve decided I’d rather use plain ol’ text, rather than trying to use SQLite or some such. However, with using text, I also have to deal with the variety of formats. So far, my options are
The data in my file is quite simple consisting for the most part of key-value type things. So, a custom format wouldn’t be that difficult… but I’d rather not have to worry about writing the support for it. I’ve never seen JSON used for configuration files. And XML would bloat the file size substantially I think. (I also just has a dislike of XML in general).
What should I do in this case?
Factors to consider:
- This configuration file can be uploaded to a web service(so size matters)
- Users must be able to edit it by hand if necessary(ease of editing and reading matters)
- Must be able to generate and process automatically (speed doesn’t matter a lot, but not excessively slow)
- The “keys” and “values” are plain strings, but must be escaped because they can contain anything. (unicode and escaping has to work easily)
- Multiple configuration files. Basically, each config file is tied to one “project”
I’d like to use EncFS to encrypt files synced with Dropbox. Unfortunately, its Wikipedia page https://en.wikipedia.org/wiki/EncFS mentions security concerns from an audit of version 1.7:
EncFS is not safe if the adversary has the opportunity to see two or more snapshots of the ciphertext at different times.
Someone with access to my Dropbox account will have exactly that: Dropbox stores multiple previous versions of a file after it’s been modified which is exactly “two or more snapshots of the ciphertext at different times”.
In 2015, this has been confirmed in this question for example: Is ENCFS secure for encrypting Dropbox?
Regarding version 1.8, Wikipedia states:
The announcement of EncFS 1.8 included several underlying design changes, acknowledging the security concerns raised in the previous audit. However, certain concerns still remain regarding those vulnerabilities.
Which concerns do remain? Is the issue regarding Dropbox fixed?
Also, according to https://github.com/vgough/encfs/releases the most recent version is 1.9.5, now.
Is it still not advisable to use those recent versions of EncFS to encrypt Dropbox? Does the issue with “two or more snapshots of the ciphertext at different times” still exist?
Please bear with me, I’m a total newbie about security.
I work in a company whose main goal is to maximize profits and use free stuff as much as possible. It’s effect is that we use tons of freeware web apps that helps us the production with the efficiency.
Also with regards to reports, we mostly use excel to pass around information or dashboards.
Couple of months ago, the company needed to adhere to data privacy act which required everything to be password protected which scopes the excel files.
Now, everyone keeps forgetting their passwords. So a solution was raised, to create a system that centralizes all the passwords of a certain group. Basically it’s a notepad containing all the passwords of a team for their reports.
Is this even a good idea?
From a developer POV, there should be systems that helps people do their stuff not using excels and SSO must be implemented but since the company won’t provide budget for technology we are in this situation.