of them might be enough to make the casual hacker move on to a different
server without encrypted variables. If that person really wanted to
decrypt those variables, they could. The most important thing to do is
to make sure data is validated before you do anything with it.
Kevin
_____
From: Kwang Suh [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 11:39 AM
To: CF-Talk
Subject: Re: Securing CF Apps.
There is nothing inherently wrong with letting users see fuseaction
names.
And to use a very weak form of "encryption" that makes you think that
you're somehow safe against attacks is an extremely bad situation to be
in.
----- Original Message -----
From: Adrocknaphobia <[EMAIL PROTECTED]>
Date: Tuesday, March 23, 2004 9:24 am
Subject: Re: Securing CF Apps.
> Point being, if you want a secure app, don't let users see your
> fuseaction names.
>
> -adam
>
> > -----Original Message-----
> > From: Kwang Suh [EMAIL PROTECTED]
> > Sent: Tuesday, March 23, 2004 04:14 PM
> > To: 'CF-Talk'
> > Subject: Re: Securing CF Apps.
> >
> > > Yes. All URL and FORM variables should be encypted.
> >
> > This is beyond silly.
> >
> > Especially if
> > > you are using a fusebox methodology.
> >
> > Using or not using Fusebox has nothing to do with the situation.
> >
> >
> >
> >
>
>
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
