On Tue, May 20, 2008 at 4:54 PM, Aaron Miller <[EMAIL PROTECTED]> wrote: > Are you using any kind of token based authentication to serve the > data? All the SSL in the world wouldn't stop someone from just sending > POST or GET vars to your php scripts and getting the data back in nice > pretty XML. Decompiling the SWF would make it real easy to figure out > what vars to send where. If users do not have to login at all, then > perhaps you could do something with PHP sessions to verify the source > of the requests before serving any data. > > Regards, > ~Aaron > > On Tue, May 20, 2008 at 4:25 PM, andrewwestberg > <[EMAIL PROTECTED]> wrote: >> I think you're confusing simple secret key encryption (DES, AES, >> etc..) with public/private key encryption (RSA). >> >> In secret-key encryption if an attacker steals the data and guesses or >> brute forces the secret key, they can see the data. >> >> In public/private key encryption, a message you send to the server is >> encrypted by a public key and can ONLY be decrypted by a private key >> known only to the webserver (the certificate you bought from verisign, >> thawte, etc...) This is how when you sign onto paypal or some other >> site over https, you don't have to worry about your credit-card being >> stolen in transmission. Sitting in some DB at the company where >> employees can get at it, you should worry, but during transmission, >> it's unlikely to get cracked. >> >> -Andrew >> >> > > > > -- > Aaron Miller > Chief Technology Officer > Open Base Interactive, LLC. > [EMAIL PROTECTED] > http://www.openbaseinteractive.com >
-- Aaron Miller Chief Technology Officer Open Base Interactive, LLC. [EMAIL PROTECTED] http://www.openbaseinteractive.com
