I'm looking for some more input on an issue I have with an XML encryption library, Santuario. First off, love the library, but opened this issue and getting some resistance.
The library logs in DEBUG level decrypted content and I believe this should be removed and is a security concern. Can anyone give their insight?
https://issues.apache.org/jira/browse/SANTUARIO-413
EDIT: Here is some more clarification on a use case:
To understand the concern please read the following example (let's pretend its an app running on Android):
Security is all about layers – changing a log4j.properties file is orders of magnitude easier than reverse engineering a Java library and extracting an AES key that has been obfuscated before being placed in the code, for example. I'd prefer to stop people from seeing decrypted content just by modifying the log4j and changing it to DEBUG.
A notification is warranted, though, "Hey you should probably not use this in production."