protobuf 获取一些数据的安全性如何? [英] How secure the protobuf is to get some of the data out?
问题描述
如果没有任何加密,如果接收者有序列化的 Protobuf 文件但没有生成的 Protobuf 类(他们无权访问定义其结构的 .proto 文件),他们是否有可能从二进制文件中获取 Protobuf 文件中的任何数据?
Without any encryption, if the recipient has the serialized Protobuf file but does not have the generated Protobuf class (they don't have access to the .proto file that define its structure), is it possible for them to get any data in the Protobuf file from the binary?
如果他们有权访问 .proto 文件的一部分(例如,文件中只有一个相关的message),他们能否从整个文件中获取该数据的一部分跳过其他未知部分?
If they have access to a part of the .proto file (for example, just one related message in the file) can they get a part of that data out from the entire file while skipping other unknown parts?
推荐答案
- 是的,绝对的;
protoc工具可以帮助解决这个问题(请参阅:--decode_raw),https://protogen.marcgravell.com/decode - 所以它根本不应该被视为安全" - 是的,绝对 - 这是协议中内置的一个关键部分,它允许消息可扩展,以便他们可以解码他们理解的位,并忽略或只存储(对于往返或扩展"字段)他们的位不明白
- yes, absolutely; the
protoctool can help with this (see:--decode_raw), as can https://protogen.marcgravell.com/decode - so it should not be treated as "secure" at all - yes, absolutely - that's a key part built into the protocol that allows messages to be extensible such that they can decode the bits they understand and either ignore or just store (for round-trip or "extension" fields) the bits they don't understand
protobuf 不是安全设备;对于使用正确工具的人来说,它与 xml 或 json 一样可读,但有一个小问题,即不确定如何解释某些值;但是:你可以推断、猜测和逆向工程
protobuf is not a security device; to someone with the right tools it is just as readable as xml or json, with the slight issue that it can be uncertain how to interpret some values; but: you can infer and guess and reverse engineer
这篇关于protobuf 获取一些数据的安全性如何?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
