Today at work I was confronted with a weird little thing that I realized wasn't the first time I was confronted with this concept. Two younger colleagues of mine discovered a "security bug" in an older application. Basically the thing is from 2004 but was migrated and migrated and rewritten from technology to technology. It's technology is more or less up to date now and we have this bad boy behind a proxy for https-only.
Since back then it contains a list of several thousand strings of 2-3 sentences. Older developers back then considered this too much to transmit between client (now browser) and backend (now java). So they decided to encode all strings in numbers 1,2,3.... which is kept in the backend. The frontend only pulls the full string when looking at one item instead of long lists.
The two younger developers think this is "custom crypto" and know from uni that custom crypto is the big no no. I told them that they are correct that custom crypto is a big no no but that this case isn't custom crypto - the application uses a custom encoding for data.
Have you ever met such a confusion between cryptography and encoding? If yes where does it stem from? Thoughts?
Most definitely. There's a lack of understanding around this stuff--the difference between ciphers (stream translation) and codes (semantic replacement). I've made a lot of hacks like this in my 20+ year SWE career and been met with misguided interpretations--which is why documenting excessively to explain the WHY as much as the WHAT is critical. Additionally, this is a great example of why I replaced Java with Node.js and SQL with JSON files in S3. Speaking JSON all the way down the stack prevents odd data type conversion and library assumptions. The old way was like speaking in English (JSON), formulating sentences in French (Java), and remembering everything in German (SQL). Now it's English all the way down.