Its not a failure of the industry experts to understand the problem. Its the failure to have a problem in the first place, honestly. I think that, while you are clearly working hard to wrap your arms around the subject... you aren't there yet.
What you want to do is inherently insecure... use client-side code to enforce a component of security? How would you protect the client-side code from being hacked and manipulated to ill effect? What scenario will you be covering, since the transmission off the screen is fully covered by the https protocol and a certificate? The only threat left is someone looking over the hapless user's shoulder and writing down their input, and in your capacity as developer you cannot protect against this type of threat. And client-side code is inherently open and available to the ... client. Open for inspection and giving clues to the server side tools in use; providing insight to the thoughtful hacker as to how they go about their next step in their attack against you. So if the client desktop is its own problem outside your control, and the transmission has a globally-accepted, universal solution in place, that only leaves the server side, and there you do indeed have quite a lot of wiggle room with respect to doing it badly versus doing it well. Just for starters, if you are hashing something (like a password) I would say you have made a mistake right there if its a simple hash. Use a salted hash always. I know cfencrypt/cfdecrypt has made great strides in CF7, but I'm not sure if it is really industrial-strength? I'll leave that question to others. I rely on 3rd-party tools that give me RSA asymmetric-key encryption of selectable strength, personally. > "SSL is used for confidentiality, not Data Integrity" That is incorrect. Read tha Wikipedia article that was linked a few posts back in this thread. While you need to exercise care and perform due diligence, some of this is a lot simpler than you are making it out to be. Worry about the server side. The rest is effectively out of your hands due to the nature of the medium. -- [EMAIL PROTECTED] Janitor, The Robertson Team mysecretbase.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Get the answers you are looking for on the ColdFusion Labs Forum direct from active programmers and developers. http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid-72&catid=648 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:286886 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
