Hi Tom, That's grand, thanks a million for your reply. I'll look into using SSL anyway.
Thanks again, Suzy -----Original Message----- From: Tom Oinn [mailto:[EMAIL PROTECTED] Sent: 18 August 2004 13:16 To: [EMAIL PROTECTED] Subject: Re: Limiting Access to the server Suzy Fynes wrote: > Hi, > > > > Can anyone tell me the best possible way to control access to the Web > Service server without using SSL certs or encryption? No. Security is hard, and if, hypothetically, you're working for a financial institution then you'd better do it properly or not at all. If you want a secure service which uses neither SSL nor any kind of encryption your only option is going to be to remove the computer which the service runs on from any public network, and never ever connect it. You can restrict access by using HTTP basic authentication but this is not secure, the password and username is sent in cleartext across the (public) network, any moron with a password sniffer can go through this level of security in the time it's taken me to type this paragraph. This might just barely be acceptable if you are on a completely secure internal network (of course, there's no such thing as a completely secure network) This doesn't just apply to web services, this is standard network security. On the plus side, SSL isn't actually that hard - a quick cross reference of your email address to website suggests you might want to investigate further. Cheers, Tom
