> -----Original Message----- > From: Eric Roberts [mailto:[EMAIL PROTECTED] > Sent: Monday, March 05, 2007 1:11 AM > To: CF-Talk > Subject: RE: Why does IE s*(k... let me count the ways. > > What does that have to do with a site that is online? That's a pretty bad > excuse, in my opinion, to just leave it wide open to the world...the > information you give management should suffice. If they don't trust what > you have to say, what's the point in having you as an employee...they did > hire you for your expertise. That would be like setting up a wireless > network and not using wep to start out with and just leaving it open > because > your WPA-PSK server isn't set up yet.
That's a poorly mixed metaphor. If you convince others that something is "secure" (through obscurity) when it's not then future problems place your head on the block. Pure and simple. If you can't do it right, then either don't do it and report on the consequences or make damn sure that management acceptance of your concerns are in writing. > My main issue is that it creates ugly urls. You ever try and paste one of > those in an email? Most of them wrap the text and that doesn't get > included > in the link the email program produces. An attractive site is part of the > game we play here...urls included. It depends. The instance in question really doesn't matter - it's a popup with no address bar. But in the world of web design pretty URLs may be nice, but there are a few things to remember: 1) "Pretty" is in the eye of the beholder. I like my URLs descriptive - my URLs tend to form a complete breadcrumb trail and are section independent (lop off sections and you still get page). However they're long. Others like their URLs as short as possible no matter how obscure things get. It's subjective. 2) Attempts to make a URL pretty should never be weighed against usability of the site or application. If adding more information makes the site more usable, do it. URL attractiveness far down the list of concerns - but it IS on the list, of course. > Obscurity is small bit of security in that it does keep the honest folks > honest. Even people that know what they are doing would at least have to > take some action to find the values. Putting it all in the url is doing > their job for them. I wouldn't transfer bank accounts or credit cards > with > just this alone...I definitely wouldn't do it, even encrypted, in a url at > any time. What matter is the complete security "picture" of the site. For example using SSL and most any reliable single token security system is legally enough to allow you to pass critical information in most applications - whether it's a POST or a GET. But certain information MUST be secured - if you "fake" security through obscurity you're liable. Most companies (and every fortune 500 I've worked for) have an "associate responsibility" document of some kind. This usually says, among other things, that if you knowingly compromise the security of company data that you, personally, will be liable for damages, punishment or termination. With the various information protection acts in use in various states and the federal acts such as HIPPA you can't afford to screw around with this stuff anymore. Don't put out a crappy stop gap to "keep honest people honest" - either do it right or don't do it. And if your still forced to do it make sure you divest yourself of responsibility in the matter (in writing). This is why I maintain that doing nothing is better than doing something incompetent, security-wise. Jim Davis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade & see new features. http://www.adobe.com/products/coldfusion Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271533 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
