Encrypted irsetup.dat

[me0007]

Hi there,

when a setup is launched, several files are decompressed to the current \temp folder, just like the irsetup.dat file.

Unfortunately, exatcly that file holds all the information of a setup project. It can be viewed with a regular text editor, as it is not encrypted in any way.

The problem is, that I need to create a couple of setups with some internal settings that should remain secret (actions and conditions). With an unencrypted irsetup.dat file it is just a couple of minutes of work to find out how exactly a setup works, and what actions and conditions are set.

Suggestion: for the next version of SF, please make the irsetup.dat to be encrypted (optional). That would help a lot and would make confidential setups more secure.

Thanks,

Steve

[NetSeeker]

If you encrypt a part of the setup (e.g. irsetup.dat) it is very simple to decrypt, because the decryption key must be part of the setup.

It is better that you don't rely on secrets in your setup.

E.G. If you want to install a password, use a secure hash function as RIPE MD 160 or SHA1 to hash the password in your software.
Than you can install the password hash ( in cleartext )
nobody will be able to reproduce this hash without the original password. Therefore it is really secure if you publish the hash on your website or in facht include the hash in your setup action.

This will also fix a security hole in your software, because you have to install this password on the machine too. Evereybody can read it from there!

[Brett]

Just a note - when you use password lists in SUF 6.0.1.3 or later the lists are actually MD5 encrypted so that they are impossible to reverse-engineer.

[me0007]

Thanks for your feedback!

:-)