sad but true users will be users despite our best efforts. I was worried that I missed something and all security evaporated overnight. Stranger things have happened.
________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Friday, February 08, 2008 4:27 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) Yes. Man in the middle proxy to decrypt traffic on the fly. I don't need to decrypt the traffic, I let SSL do all the work and just pass the communications through my proxy. Encrypted tunnels exist between browser -> proxy and proxy-> server. You receive a certificate warning, but most users will accept them not knowing what the warning is or why it exists. Google Paros, Fiddler, Burp Proxy, etc. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "I have always strenuously supported the right of every man to his own opinion, however different that opinion might be to mine. He who denies another this right makes a slave of himself to his present opinion, because he precludes himself the right of changing it." -- Thomas Paine, 1783 On Feb 8, 2008, at 4:13 PM, Fennell, Mark P. wrote: <disbelief> lemme get this straight. you can decrypt SSL traffic into a human readable format? you can crack a 128-bit certificate? what about a high-grade AES 256-bit pipe? </disbelief> ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Friday, February 08, 2008 4:01 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) If secure AMF is just AMF over SSL... its easy enough to modify in transit. Darrin, if you or your organization wants a demo of why these things are insecure, let me know. I'll be more than happy to do some live web hacking for you. (And yes, Charlie, I haven't forgotten about you and the meetup...) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "Dissent is the purest form of patriotism." --Thomas Jefferson On Feb 8, 2008, at 3:55 PM, Dean H. Saxe wrote: *cough* BS. Flash can be decompiled. I can watch all of the traffic. Even over SSL. I can modify AMF (I'd have to look @ secure AMF). If you'd like to challenge me to hack the app, let me know. I'm up for it. ;-) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Feb 8, 2008, at 11:52 AM, Darin Kohles wrote: You can always build a Flex (or Flash for that matter) application that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0 will work) that has nothing on the stage with wmode="transparent". This application can now act as your portal between the browser via JS using the External Interface (or fsCommand going back to Flash ~6). Then your "invisible" Flex/Flash app can leverage all the connection types available (AMF/SecureAMF, Webservice, HttpService etc...) in a manner that is not easily accessible to any hacker (you can hide all kinds of security checks within this app). I've always wanted to do a bench mark of this type of app side by side with standard Ajax, but the bottom line is that the only browser specific code would be in how the returned data is applied to effect the client content. On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote: Charlie, my main issues with AJAX are dealing with cross-browser issues, and security. AJAX exposes some of the most annoying cross-browser DHTML sort of things. Using libraries and frameworks can insulate you from that to a degree, but not always completely. I've got a customer doing things with Google Maps and we've had some differences between IE and FF that have been difficult to solve. People have gotten so excited about using AJAX that they have forgotten basic security principles (things like validating input). I recently read an article that discussed the security holes in the more commonly used frameworks, so the issue isn't just with roll your own AJAX, it is more pervasive. But, those things said, ultimately I think it is a step forward in making a richer browser experience (not as much as Flex though). There are just some fleas on the dog that folks should be aware of in advance. ----- Original Message ---- From: Charlie Arehart <[EMAIL PROTECTED]> To: discussion@acfug.org Sent: Friday, February 8, 2008 10:58:47 AM Subject: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) That seems a curious statement, Forrest, and I'm sure some would enjoy a bit of discussion on it. For those who weren't following closely, he had asked first about some challenges using a CFX_google custom tag, and in the replies he was told that it's quite old and instead Google favors some Ajax APIs instead. Forrest replies he hoped the "Ajax thing would just go away". So, do you realize that Ajax is merely a way to make browsers smarter? It enables them to make calls to remote servers. Sure, we could do that in the past with Java applets, ActiveX controls, Flash, and even plain Javascript. And we could of course do it from the server using either REST or SOAP apis. Ajax is just a simplified API to enable that very javascript-based client-server interaction. For those who need to talk to servers from clients (either because they can't or don't want to involve a server to proxy the communications for them), we don't want them to go back to Java and ActiveX, do we? :-) And while we may wish everyone would use Flex, it's just not likely. Many will, for the much larger problem space it solves, but for the average web developer, it's not really as simple as dropping in some AJAX API calls. If Google (or other vendors) want to create a way for people to connect, and they want to make it work regardless of what web app server platform people use (and as well for those who have no server), and they provide an Ajax-based API to what (I suppose are otherwise REST-based) services, that's seems to be just being smart, widening the pool of possible users. Look at it another way (for us CFers), they (like Amazon, Ebay, and others) could instead just document calling from Java, ASP.NET, and PHP. They tend to not go that one step further to include CF. At least by their offering a platform-agnostic solution that doesn't require any server-side processing, they've helped more than just those who have no server to make calls from. Just some thoughts. I'm not fanatical about all this, and I may well myself be missing a point. But since this is the ACFUG "discussion" list, that comment seemed one worth discussing. :-) /charlie -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Forrest C. Gilmore Sent: Thursday, February 07, 2008 5:30 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] JVM version and ColdFusion Thanks, Charlie. Your comments were very helpful! I have been hoping that this AJAX thing would just go away, as it seems to be to be a step backwards, but it looks like it will be around a while longer! Forrest C. Gilmore ======================== Charlie Arehart wrote: Forrest, I realize you've perhaps abandoned the effort, but I'll throw out some clarification if it's useful, first about the JRE/CFX issue, then about calling the google search APIs. <snip> ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor - Figleaf Software To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor - Figleaf Software <http://www.figleaf.com> To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink <http://www.fusionlink.com> ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------