[Tutor] Value of tracebacks to malicious attackers?
boB Stepp
robertvstepp at gmail.com
Sat Jan 23 23:52:27 EST 2016
>From page 202 of "Python Crash Course": "..., but it's also not a
good idea to let users see tracebacks. Nontechnical users will be
confused by them, and in a malicious setting, attackers will learn
more than you want them to know from a traceback. For example,
they'll know the name of your program file, and they'll see a part of
your code that isn't working properly. A skilled attacker can
sometimes use this information to determine which kind of attacks to
use against your code."
How much concern do you give this in designing and implementing your
production code? How far do you go in handling exceptions to ensure
that tracebacks cannot arise for a malicious user? Is it even
possible to prevent this from happening? I am highly doubtful that it
is possible to handle all possible exceptions in any reasonably
complex application.
Of course for many applications these concerns are probably
inconsequential. I don't think I would be gravely concerned if
someone cracked into my ticktacktoe game deployed to some freebie
site. OTOH, if I was deploying an online payment system, I would be
much more concerned. Awaiting your collective wisdom...
TIA!
boB
More information about the Tutor
mailing list