undefined | Better HN

0 pointslawl11y ago0 comments

For Switzerland there's a java based software that allows you to print a PDF in the end you can send by snail-mail.

See this page if you're interested: https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...

They also have a web based solution, but I personally prefer not to use it, because I don't trust it.

0 comments

tonfa11y ago

I switched to the online version, and I can't really tell the difference vs. the java software.

Out of curiousity what do you not trust?

lawlOP11y ago

(The difference is that the java software runs localy and spits out a PDF for snailmail, and the online version is a webapp that directly transmits our stuff to the server.)

I don't trust to store this stuff in a remotely secure manner for the online version. I have no idea how their setup looks like, but I expect they'll throw it in some kind of database and are done with it. That would be the worst case.

If anyone manages to compromise the application server, they can see all the data.

I don't trust them to have a sane architecture where the application server has basically write only access to the database. I don't trust them to encrypt the data with a public key to process them later on on a box that doesn't serve random requests from the internet.

I have more faith in them beeing able to physically guard a piece of paper, even if they'll scan it and then process it digitally later on (which they do), you can not access it by exploiting an SQL injection on the public internet (hopefully).

Edit: I just checked their website again and it seems to confirm my suspicion about their architecture. Seems you could even get access to all data from previous years:

> If the online solution [was] used in the previous year, the previous data will be available automatically.

Sure, they could encrypt each dataset with they key the provide to each user, but i doubt it.

j / k navigate · click thread line to collapse