Using HTTPS only helps to prevent the forged packet attack. It does nothing to prevent a user from using firebug to change values on the client.
With respect to Google and gmail or adsense, they are probably not in the same position as you. You are relying entirely on the client to report a valid score. In the case of adsense, it's hard to see how a client hacking a value could cause "damage" to the integrity of their system. If the user is using firebug to alter the name of a keyword they wish to bid on, how does that hurt adsense? The user can achieve the same effect through the UI, so there's no benefit to changing it. In your case, you have a critical piece of data that is entirely in control of the client, there is no simple way around it. It really depends on how far you want to go with securing that data, but because of the fundamental fact that the client "owns" the data there is no way to totally secure it. Note that this is not a "JavaScript problem". If you had a game that was an .exe file, but you relied on the client to "post" the final score back to the server, you would have the same problem. The user could hack the .exe to post back bogus scores. The best you can achieve under that constraint is to obscure the data and make it difficult to hack, but there can never be completely insured integrity under your scenario. You can keep the score encrypted on the client, which will help make it difficult -- possibly very difficult. One advantage is that Google's obsfucated code is a true nightmare to decipher. However, as noted, a truly determined hacker can do it. Your only other option is to track scores on the server-side and only have the client send "delta" adjustments to the score periodically (one a second or every few seconds). At least in that case you would have some control over verifying the deltas sent by the client, and rate-limiting their frequency, but depending on the number of users could create a fair amount of load on your server. -Brett On Aug 3, 10:42 am, asianCoolz <second.co...@gmail.com> wrote: > 1.u mentioned about https. even if using https, the javascript is > still visible to user. therefore using firebug..etc still possible to > change the value right? > 2. what is the extra measurement taken by google for app like gmail > and adsense written in gwt? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
