Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
Hah, no, not quite. That would kill all ecommerce overnight if that happened. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "To announce that there must be no criticism of the president, or that we are to stand by the president right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public." -- Theodore Roosevelt On Feb 8, 2008, at 4:34 PM, Fennell, Mark P. wrote: sad but true users will be users despite our best efforts. I was worried that I missed something and all security evaporated overnight. Stranger things have happened. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Friday, February 08, 2008 4:27 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) Yes. Man in the middle proxy to decrypt traffic on the fly. I don't need to decrypt the traffic, I let SSL do all the work and just pass the communications through my proxy. Encrypted tunnels exist between browser -> proxy and proxy-> server. You receive a certificate warning, but most users will accept them not knowing what the warning is or why it exists. Google Paros, Fiddler, Burp Proxy, etc. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "I have always strenuously supported the right of every man to his own opinion, however different that opinion might be to mine. He who denies another this right makes a slave of himself to his present opinion, because he precludes himself the right of changing it." -- Thomas Paine, 1783 On Feb 8, 2008, at 4:13 PM, Fennell, Mark P. wrote: lemme get this straight. you can decrypt SSL traffic into a human readable format? you can crack a 128-bit certificate? what about a high-grade AES 256-bit pipe? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Friday, February 08, 2008 4:01 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) If secure AMF is just AMF over SSL... its easy enough to modify in transit. Darrin, if you or your organization wants a demo of why these things are insecure, let me know. I'll be more than happy to do some live web hacking for you. (And yes, Charlie, I haven't forgotten about you and the meetup...) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "Dissent is the purest form of patriotism." --Thomas Jefferson On Feb 8, 2008, at 3:55 PM, Dean H. Saxe wrote: *cough* BS. Flash can be decompiled. I can watch all of the traffic. Even over SSL. I can modify AMF (I'd have to look @ secure AMF). If you'd like to challenge me to hack the app, let me know. I'm up for it. ;-) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Feb 8, 2008, at 11:52 AM, Darin Kohles wrote: You can always build a Flex (or Flash for that matter) application that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0 will work) that has nothing on the stage with wmode="transparent". This application can now act as your portal between the browser via JS using the External Interface (or fsCommand going back to Flash ~6). Then your "invisible" Flex/Flash app can leverage all the connection types available (AMF/SecureAMF, Webservice, HttpService etc...) in a manner that is not easily accessible to any hacker (you can hide all kinds of security checks within this app). I've always wanted to do a bench mark of this type of app side by side with standard Ajax, but the bottom line is that the only browser specific code would be in how the returned data is applied to effect the client content. On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote: Charlie, my main issues with AJAX are dealing with cross-browser issues, and security. AJAX exposes some of the most annoying cross-browser DHTML sort of things. Using libraries and frameworks can insulate you from that to a degree, but not always completely. I've got a customer doing things with Google Maps and we've had some differences between IE and FF that have been difficult to solve. People have gotten so excited about using AJAX that they have forgotten basic security principles (things like validating input). I recently read an article that discussed the security holes in the more commonly used frameworks, so the issue isn't just with roll your own AJAX, it is more pervasive. But, those things said, ultimately I think it is a step forward in making a richer browser experience (not as much as Flex though). There are just some fleas on the dog that folks should be aware of in advance. - Original Mes
Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
Sure no problem. I'm doing a live web hacking show for WebManiacs in DC if anyone is going. I had to pass on Cf.Objective due to my wife having the nerve to have a child. ;-) Give me some tentative dates, I'll be there. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "What is objectionable, what is dangerous about extremists is not that they are extreme, but that they are intolerant." -- Robert F. Kennedy, 1964 On Feb 8, 2008, at 4:34 PM, John Mason wrote: Actually this would be a great presentation for the Flash/Flex group or the CF group as well. John Mason [EMAIL PROTECTED] 770.337.8363 www.FusionLink.com - ColdFusion and Flex hosting Now offering ColdFusion 8 Enterprise hosting FREE Subversion hosting From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Friday, February 08, 2008 4:01 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) If secure AMF is just AMF over SSL... its easy enough to modify in transit. Darrin, if you or your organization wants a demo of why these things are insecure, let me know. I'll be more than happy to do some live web hacking for you. (And yes, Charlie, I haven't forgotten about you and the meetup...) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "Dissent is the purest form of patriotism." --Thomas Jefferson On Feb 8, 2008, at 3:55 PM, Dean H. Saxe wrote: *cough* BS. Flash can be decompiled. I can watch all of the traffic. Even over SSL. I can modify AMF (I'd have to look @ secure AMF). If you'd like to challenge me to hack the app, let me know. I'm up for it. ;-) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Feb 8, 2008, at 11:52 AM, Darin Kohles wrote: You can always build a Flex (or Flash for that matter) application that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0 will work) that has nothing on the stage with wmode="transparent". This application can now act as your portal between the browser via JS using the External Interface (or fsCommand going back to Flash ~6). Then your "invisible" Flex/Flash app can leverage all the connection types available (AMF/SecureAMF, Webservice, HttpService etc...) in a manner that is not easily accessible to any hacker (you can hide all kinds of security checks within this app). I've always wanted to do a bench mark of this type of app side by side with standard Ajax, but the bottom line is that the only browser specific code would be in how the returned data is applied to effect the client content. On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote: Charlie, my main issues with AJAX are dealing with cross-browser issues, and security. AJAX exposes some of the most annoying cross-browser DHTML sort of things. Using libraries and frameworks can insulate you from that to a degree, but not always completely. I've got a customer doing things with Google Maps and we've had some differences between IE and FF that have been difficult to solve. People have gotten so excited about using AJAX that they have forgotten basic security principles (things like validating input). I recently read an article that discussed the security holes in the more commonly used frameworks, so the issue isn't just with roll your own AJAX, it is more pervasive. But, those things said, ultimately I think it is a step forward in making a richer browser experience (not as much as Flex though). There are just some fleas on the dog that folks should be aware of in advance. - Original Message From: Charlie Arehart <[EMAIL PROTECTED]> To: discussion@acfug.org Sent: Friday, February 8, 2008 10:58:47 AM Subject: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) That seems a curious statement, Forrest, and I'm sure some would enjoy a bit of discussion on it. For those who weren't following closely, he had asked first about some challenges using a CFX_google custom tag, and in the replies he was told that it's quite old and instead Google favors some Ajax APIs instead. Forrest replies he hoped the "Ajax thing would just go away". So, do you realize that Ajax is merely a way to make browsers smarter? It enables them to make calls to remote servers. Sure, we could do that in the past with Java applets, ActiveX controls, Flash, and even plain Javascript. And we could of course do it from the server using either REST or SOAP apis. Ajax is just a simplified API to enable that very javascript-based client-server interaction. For those who need to talk to servers from clients (either because they can't or don
Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
BTW, the cert is not 128 bits, that would be trivially small for a public key. The public key is used to verify the identity of the server (i.e. does it match the machine name? Can it be validated through Public Key Infrastructure (PKI)?). The tunnel may use 128 bit AES, but the cert is using some form of public key crypto using a public/private key pair. Note that there are 3 negotiations between browser and server: encryption protocol (data protection), key negotiation protocol (how to create a secret key for use in encryption) and the signing mechanism (to detect tampering). You can detect the possible settings for these on your server using SSLDigger (www.foundstone.com, free tools). MITM proxies break none of these. They break the authentication of the remote server via the PKI, the tunnels are still secure, we just generate a way to open up the tunnel to peak inside. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Feb 8, 2008, at 4:13 PM, Fennell, Mark P. wrote: lemme get this straight. you can decrypt SSL traffic into a human readable format? you can crack a 128-bit certificate? what about a high-grade AES 256-bit pipe? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Friday, February 08, 2008 4:01 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) If secure AMF is just AMF over SSL... its easy enough to modify in transit. Darrin, if you or your organization wants a demo of why these things are insecure, let me know. I'll be more than happy to do some live web hacking for you. (And yes, Charlie, I haven't forgotten about you and the meetup...) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "Dissent is the purest form of patriotism." --Thomas Jefferson On Feb 8, 2008, at 3:55 PM, Dean H. Saxe wrote: *cough* BS. Flash can be decompiled. I can watch all of the traffic. Even over SSL. I can modify AMF (I'd have to look @ secure AMF). If you'd like to challenge me to hack the app, let me know. I'm up for it. ;-) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Feb 8, 2008, at 11:52 AM, Darin Kohles wrote: You can always build a Flex (or Flash for that matter) application that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0 will work) that has nothing on the stage with wmode="transparent". This application can now act as your portal between the browser via JS using the External Interface (or fsCommand going back to Flash ~6). Then your "invisible" Flex/Flash app can leverage all the connection types available (AMF/SecureAMF, Webservice, HttpService etc...) in a manner that is not easily accessible to any hacker (you can hide all kinds of security checks within this app). I've always wanted to do a bench mark of this type of app side by side with standard Ajax, but the bottom line is that the only browser specific code would be in how the returned data is applied to effect the client content. On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote: Charlie, my main issues with AJAX are dealing with cross-browser issues, and security. AJAX exposes some of the most annoying cross-browser DHTML sort of things. Using libraries and frameworks can insulate you from that to a degree, but not always completely. I've got a customer doing things with Google Maps and we've had some differences between IE and FF that have been difficult to solve. People have gotten so excited about using AJAX that they have forgotten basic security principles (things like validating input). I recently read an article that discussed the security holes in the more commonly used frameworks, so the issue isn't just with roll your own AJAX, it is more pervasive. But, those things said, ultimately I think it is a step forward in making a richer browser experience (not as much as Flex though). There are just some fleas on the dog that folks should be aware of in advance. - Original Message From: Charlie Arehart <[EMAIL PROTECTED]> To: discussion@acfug.org Sent: Friday, February 8, 2008 10:58:47 AM Subject: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) That seems a curious statement, Forrest, and I'm sure some would enjoy a bit of discussion on it. For those who weren't following closely, he had asked first about some challenges using a CFX_google custom tag, and in the replies he was told that it's quite old and instead Google favors some Ajax APIs
RE: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
sad but true users will be users despite our best efforts. I was worried that I missed something and all security evaporated overnight. Stranger things have happened. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Friday, February 08, 2008 4:27 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) Yes. Man in the middle proxy to decrypt traffic on the fly. I don't need to decrypt the traffic, I let SSL do all the work and just pass the communications through my proxy. Encrypted tunnels exist between browser -> proxy and proxy-> server. You receive a certificate warning, but most users will accept them not knowing what the warning is or why it exists. Google Paros, Fiddler, Burp Proxy, etc. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "I have always strenuously supported the right of every man to his own opinion, however different that opinion might be to mine. He who denies another this right makes a slave of himself to his present opinion, because he precludes himself the right of changing it." -- Thomas Paine, 1783 On Feb 8, 2008, at 4:13 PM, Fennell, Mark P. wrote: lemme get this straight. you can decrypt SSL traffic into a human readable format? you can crack a 128-bit certificate? what about a high-grade AES 256-bit pipe? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Friday, February 08, 2008 4:01 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) If secure AMF is just AMF over SSL... its easy enough to modify in transit. Darrin, if you or your organization wants a demo of why these things are insecure, let me know. I'll be more than happy to do some live web hacking for you. (And yes, Charlie, I haven't forgotten about you and the meetup...) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "Dissent is the purest form of patriotism." --Thomas Jefferson On Feb 8, 2008, at 3:55 PM, Dean H. Saxe wrote: *cough* BS. Flash can be decompiled. I can watch all of the traffic. Even over SSL. I can modify AMF (I'd have to look @ secure AMF). If you'd like to challenge me to hack the app, let me know. I'm up for it. ;-) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Feb 8, 2008, at 11:52 AM, Darin Kohles wrote: You can always build a Flex (or Flash for that matter) application that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0 will work) that has nothing on the stage with wmode="transparent". This application can now act as your portal between the browser via JS using the External Interface (or fsCommand going back to Flash ~6). Then your "invisible" Flex/Flash app can leverage all the connection types available (AMF/SecureAMF, Webservice, HttpService etc...) in a manner that is not easily accessible to any hacker (you can hide all kinds of security checks within this app). I've always wanted to do a bench mark of this type of app side by side with standard Ajax, but the bottom line is that the only browser specific code would be in how the returned data is applied to effect the client content. On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote: Charlie, my main issues with AJAX are dealing with cross-browser issues, and security. AJAX exposes some of the most annoying cross-browser DHTML sort of things. Using libraries and frameworks can insulate you from that to a degree, but not always completely. I've got a customer doing things with G
Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
Yes. Man in the middle proxy to decrypt traffic on the fly. I don't need to decrypt the traffic, I let SSL do all the work and just pass the communications through my proxy. Encrypted tunnels exist between browser -> proxy and proxy-> server. You receive a certificate warning, but most users will accept them not knowing what the warning is or why it exists. Google Paros, Fiddler, Burp Proxy, etc. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "I have always strenuously supported the right of every man to his own opinion, however different that opinion might be to mine. He who denies another this right makes a slave of himself to his present opinion, because he precludes himself the right of changing it." -- Thomas Paine, 1783 On Feb 8, 2008, at 4:13 PM, Fennell, Mark P. wrote: lemme get this straight. you can decrypt SSL traffic into a human readable format? you can crack a 128-bit certificate? what about a high-grade AES 256-bit pipe? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Friday, February 08, 2008 4:01 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) If secure AMF is just AMF over SSL... its easy enough to modify in transit. Darrin, if you or your organization wants a demo of why these things are insecure, let me know. I'll be more than happy to do some live web hacking for you. (And yes, Charlie, I haven't forgotten about you and the meetup...) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "Dissent is the purest form of patriotism." --Thomas Jefferson On Feb 8, 2008, at 3:55 PM, Dean H. Saxe wrote: *cough* BS. Flash can be decompiled. I can watch all of the traffic. Even over SSL. I can modify AMF (I'd have to look @ secure AMF). If you'd like to challenge me to hack the app, let me know. I'm up for it. ;-) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Feb 8, 2008, at 11:52 AM, Darin Kohles wrote: You can always build a Flex (or Flash for that matter) application that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0 will work) that has nothing on the stage with wmode="transparent". This application can now act as your portal between the browser via JS using the External Interface (or fsCommand going back to Flash ~6). Then your "invisible" Flex/Flash app can leverage all the connection types available (AMF/SecureAMF, Webservice, HttpService etc...) in a manner that is not easily accessible to any hacker (you can hide all kinds of security checks within this app). I've always wanted to do a bench mark of this type of app side by side with standard Ajax, but the bottom line is that the only browser specific code would be in how the returned data is applied to effect the client content. On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote: Charlie, my main issues with AJAX are dealing with cross-browser issues, and security. AJAX exposes some of the most annoying cross-browser DHTML sort of things. Using libraries and frameworks can insulate you from that to a degree, but not always completely. I've got a customer doing things with Google Maps and we've had some differences between IE and FF that have been difficult to solve. People have gotten so excited about using AJAX that they have forgotten basic security principles (things like validating input). I recently read an article that discussed the security holes in the more commonly used frameworks, so the issue isn't just with roll your own AJAX, it is more pervasive. But, those things said, ultimately I think it is a step forward in making a richer browser experience (not as much as Flex though). There are just some fleas on the dog that folks should be aware of in advance. - Original Message From: Charlie Arehart <[EMAIL PROTECTED]> To: discussion@acfug.org Sent: Friday, February 8, 2008 10:58:47 AM Subject: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) That seems a curious statement, Forrest, and I'm sure some would enjoy a bit of discussion on it. For those who weren't following closely, he had asked first about some challenges using a CFX_google custom tag, and in the replies he was told that it's quite old and instead Google favors some Ajax APIs instead. Forrest replies he hoped the "Ajax thing would just go away". So, do you realize that Ajax is merely a way to make browsers smarter? It enables them to make calls to remote servers. Sure, we could do that in the past with Java applets, ActiveX controls, Flash, and even plain Javascript. And w
RE: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
Actually this would be a great presentation for the Flash/Flex group or the CF group as well. John Mason [EMAIL PROTECTED] 770.337.8363 www.FusionLink.com - ColdFusion and Flex hosting Now offering ColdFusion 8 Enterprise hosting FREE Subversion hosting _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Friday, February 08, 2008 4:01 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) If secure AMF is just AMF over SSL... its easy enough to modify in transit. Darrin, if you or your organization wants a demo of why these things are insecure, let me know. I'll be more than happy to do some live web hacking for you. (And yes, Charlie, I haven't forgotten about you and the meetup...) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "Dissent is the purest form of patriotism." --Thomas Jefferson On Feb 8, 2008, at 3:55 PM, Dean H. Saxe wrote: *cough* BS. Flash can be decompiled. I can watch all of the traffic. Even over SSL. I can modify AMF (I'd have to look @ secure AMF). If you'd like to challenge me to hack the app, let me know. I'm up for it. ;-) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Feb 8, 2008, at 11:52 AM, Darin Kohles wrote: You can always build a Flex (or Flash for that matter) application that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0 will work) that has nothing on the stage with wmode="transparent". This application can now act as your portal between the browser via JS using the External Interface (or fsCommand going back to Flash ~6). Then your "invisible" Flex/Flash app can leverage all the connection types available (AMF/SecureAMF, Webservice, HttpService etc...) in a manner that is not easily accessible to any hacker (you can hide all kinds of security checks within this app). I've always wanted to do a bench mark of this type of app side by side with standard Ajax, but the bottom line is that the only browser specific code would be in how the returned data is applied to effect the client content. On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote: Charlie, my main issues with AJAX are dealing with cross-browser issues, and security. AJAX exposes some of the most annoying cross-browser DHTML sort of things. Using libraries and frameworks can insulate you from that to a degree, but not always completely. I've got a customer doing things with Google Maps and we've had some differences between IE and FF that have been difficult to solve. People have gotten so excited about using AJAX that they have forgotten basic security principles (things like validating input). I recently read an article that discussed the security holes in the more commonly used frameworks, so the issue isn't just with roll your own AJAX, it is more pervasive. But, those things said, ultimately I think it is a step forward in making a richer browser experience (not as much as Flex though). There are just some fleas on the dog that folks should be aware of in advance. - Original Message From: Charlie Arehart <[EMAIL PROTECTED]> To: discussion@acfug.org Sent: Friday, February 8, 2008 10:58:47 AM Subject: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) That seems a curious statement, Forrest, and I'm sure some would enjoy a bit of discussion on it. For those who weren't following closely, he had asked first about some challenges using a CFX_google custom tag, and in the replies he was told that it's quite old and instead Google favors some Ajax APIs instead. Forrest replies he hoped the "Ajax thing would just go away". So, do you realize that Ajax is merely a way to make browsers smarter? It enables them to make calls to remote servers. Sure, we could do that in the past with Java applets, ActiveX controls, Flash, and even plain Javascript. And we could of course do it from the server using either REST or SOAP apis. Ajax is just a simplified API to enable that very javascript-based client-server interaction. For those who need to talk to servers from clients (either because they can't or don't want to involve a server to proxy the communications for them), we don't want them to go back to Java and ActiveX, do we? :-) And while we may wish everyone would use Flex, it's just not likely. Many will, for the much larger problem space it solves, but for the average web developer, it's not really as simple as dropping in some AJAX API calls. If Google (or other vendors) want to create a way for people to connect, and they want to make it work regardl
RE: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
lemme get this straight. you can decrypt SSL traffic into a human readable format? you can crack a 128-bit certificate? what about a high-grade AES 256-bit pipe? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Friday, February 08, 2008 4:01 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) If secure AMF is just AMF over SSL... its easy enough to modify in transit. Darrin, if you or your organization wants a demo of why these things are insecure, let me know. I'll be more than happy to do some live web hacking for you. (And yes, Charlie, I haven't forgotten about you and the meetup...) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "Dissent is the purest form of patriotism." --Thomas Jefferson On Feb 8, 2008, at 3:55 PM, Dean H. Saxe wrote: *cough* BS. Flash can be decompiled. I can watch all of the traffic. Even over SSL. I can modify AMF (I'd have to look @ secure AMF). If you'd like to challenge me to hack the app, let me know. I'm up for it. ;-) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Feb 8, 2008, at 11:52 AM, Darin Kohles wrote: You can always build a Flex (or Flash for that matter) application that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0 will work) that has nothing on the stage with wmode="transparent". This application can now act as your portal between the browser via JS using the External Interface (or fsCommand going back to Flash ~6). Then your "invisible" Flex/Flash app can leverage all the connection types available (AMF/SecureAMF, Webservice, HttpService etc...) in a manner that is not easily accessible to any hacker (you can hide all kinds of security checks within this app). I've always wanted to do a bench mark of this type of app side by side with standard Ajax, but the bottom line is that the only browser specific code would be in how the returned data is applied to effect the client content. On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote: Charlie, my main issues with AJAX are dealing with cross-browser issues, and security. AJAX exposes some of the most annoying cross-browser DHTML sort of things. Using libraries and frameworks can insulate you from that to a degree, but not always completely. I've got a customer doing things with Google Maps and we've had some differences between IE and FF that have been difficult to solve. People have gotten so excited about using AJAX that they have forgotten basic security principles (things like validating input). I recently read an article that discussed the security holes in the more commonly used frameworks, so the issue isn't just with roll your own AJAX, it is more pervasive. But, those things said, ultimately I think it is a step forward in making a richer browser experience (not as much as Flex though). There are just some fleas on the dog that folks should be aware of in advance. - Original Message From: Charlie Arehart <[EMAIL PROTECTED]> To: discussion@acfug.org Sent: Friday, February 8, 2008 10:58:47 AM Subject: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) That seems a curious statement, Forrest, and I'm sure some would enjoy a
Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
If secure AMF is just AMF over SSL... its easy enough to modify in transit. Darrin, if you or your organization wants a demo of why these things are insecure, let me know. I'll be more than happy to do some live web hacking for you. (And yes, Charlie, I haven't forgotten about you and the meetup...) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "Dissent is the purest form of patriotism." --Thomas Jefferson On Feb 8, 2008, at 3:55 PM, Dean H. Saxe wrote: *cough* BS. Flash can be decompiled. I can watch all of the traffic. Even over SSL. I can modify AMF (I'd have to look @ secure AMF). If you'd like to challenge me to hack the app, let me know. I'm up for it. ;-) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Feb 8, 2008, at 11:52 AM, Darin Kohles wrote: You can always build a Flex (or Flash for that matter) application that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0 will work) that has nothing on the stage with wmode="transparent". This application can now act as your portal between the browser via JS using the External Interface (or fsCommand going back to Flash ~6). Then your "invisible" Flex/Flash app can leverage all the connection types available (AMF/SecureAMF, Webservice, HttpService etc...) in a manner that is not easily accessible to any hacker (you can hide all kinds of security checks within this app). I've always wanted to do a bench mark of this type of app side by side with standard Ajax, but the bottom line is that the only browser specific code would be in how the returned data is applied to effect the client content. On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote: Charlie, my main issues with AJAX are dealing with cross-browser issues, and security. AJAX exposes some of the most annoying cross-browser DHTML sort of things. Using libraries and frameworks can insulate you from that to a degree, but not always completely. I've got a customer doing things with Google Maps and we've had some differences between IE and FF that have been difficult to solve. People have gotten so excited about using AJAX that they have forgotten basic security principles (things like validating input). I recently read an article that discussed the security holes in the more commonly used frameworks, so the issue isn't just with roll your own AJAX, it is more pervasive. But, those things said, ultimately I think it is a step forward in making a richer browser experience (not as much as Flex though). There are just some fleas on the dog that folks should be aware of in advance. - Original Message From: Charlie Arehart <[EMAIL PROTECTED]> To: discussion@acfug.org Sent: Friday, February 8, 2008 10:58:47 AM Subject: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) That seems a curious statement, Forrest, and I'm sure some would enjoy a bit of discussion on it. For those who weren't following closely, he had asked first about some challenges using a CFX_google custom tag, and in the replies he was told that it's quite old and instead Google favors some Ajax APIs instead. Forrest replies he hoped the "Ajax thing would just go away". So, do you realize that Ajax is merely a way to make browsers smarter? It enables them to make calls to remote servers. Sure, we could do that in the past with Java applets, ActiveX controls, Flash, and even plain Javascript. And we could of course do it from the server using either REST or SOAP apis. Ajax is just a simplified API to enable that very javascript-based client-server interaction. For those who need to talk to servers from clients (either because they can't or don't want to involve a server to proxy the communications for them), we don't want them to go back to Java and ActiveX, do we? :-) And while we may wish everyone would use Flex, it's just not likely. Many will, for the much larger problem space it solves, but for the average web developer, it's not really as simple as dropping in some AJAX API calls. If Google (or other vendors) want to create a way for people to connect, and they want to make it work regardless of what web app server platform people use (and as well for those who have no server), and they provide an Ajax-based API to what (I suppose are otherwise REST-based) services, that's seems to be just being smart, widening the pool of possible users. Look at it another way (for us CFers), they (like Amazon, Ebay, and others) could instead just document calling from Java, ASP.NET, and PHP. They tend to not go that one step further to include CF. At least by their offerin
Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
*cough* BS. Flash can be decompiled. I can watch all of the traffic. Even over SSL. I can modify AMF (I'd have to look @ secure AMF). If you'd like to challenge me to hack the app, let me know. I'm up for it. ;-) -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "If liberty means anything at all, it means the right to tell people what they do not want to hear." -- George Orwell, 1945 On Feb 8, 2008, at 11:52 AM, Darin Kohles wrote: You can always build a Flex (or Flash for that matter) application that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0 will work) that has nothing on the stage with wmode="transparent". This application can now act as your portal between the browser via JS using the External Interface (or fsCommand going back to Flash ~6). Then your "invisible" Flex/Flash app can leverage all the connection types available (AMF/SecureAMF, Webservice, HttpService etc...) in a manner that is not easily accessible to any hacker (you can hide all kinds of security checks within this app). I've always wanted to do a bench mark of this type of app side by side with standard Ajax, but the bottom line is that the only browser specific code would be in how the returned data is applied to effect the client content. On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote: Charlie, my main issues with AJAX are dealing with cross-browser issues, and security. AJAX exposes some of the most annoying cross-browser DHTML sort of things. Using libraries and frameworks can insulate you from that to a degree, but not always completely. I've got a customer doing things with Google Maps and we've had some differences between IE and FF that have been difficult to solve. People have gotten so excited about using AJAX that they have forgotten basic security principles (things like validating input). I recently read an article that discussed the security holes in the more commonly used frameworks, so the issue isn't just with roll your own AJAX, it is more pervasive. But, those things said, ultimately I think it is a step forward in making a richer browser experience (not as much as Flex though). There are just some fleas on the dog that folks should be aware of in advance. - Original Message From: Charlie Arehart <[EMAIL PROTECTED]> To: discussion@acfug.org Sent: Friday, February 8, 2008 10:58:47 AM Subject: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) That seems a curious statement, Forrest, and I'm sure some would enjoy a bit of discussion on it. For those who weren't following closely, he had asked first about some challenges using a CFX_google custom tag, and in the replies he was told that it's quite old and instead Google favors some Ajax APIs instead. Forrest replies he hoped the "Ajax thing would just go away". So, do you realize that Ajax is merely a way to make browsers smarter? It enables them to make calls to remote servers. Sure, we could do that in the past with Java applets, ActiveX controls, Flash, and even plain Javascript. And we could of course do it from the server using either REST or SOAP apis. Ajax is just a simplified API to enable that very javascript-based client-server interaction. For those who need to talk to servers from clients (either because they can't or don't want to involve a server to proxy the communications for them), we don't want them to go back to Java and ActiveX, do we? :-) And while we may wish everyone would use Flex, it's just not likely. Many will, for the much larger problem space it solves, but for the average web developer, it's not really as simple as dropping in some AJAX API calls. If Google (or other vendors) want to create a way for people to connect, and they want to make it work regardless of what web app server platform people use (and as well for those who have no server), and they provide an Ajax-based API to what (I suppose are otherwise REST-based) services, that's seems to be just being smart, widening the pool of possible users. Look at it another way (for us CFers), they (like Amazon, Ebay, and others) could instead just document calling from Java, ASP.NET, and PHP. They tend to not go that one step further to include CF. At least by their offering a platform-agnostic solution that doesn't require any server-side processing, they've helped more than just those who have no server to make calls from. Just some thoughts. I'm not fanatical about all this, and I may well myself be missing a point. But since this is the ACFUG "discussion" list, that comment seemed one worth discussing. :-) /charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Forrest C. Gilmore Sent: Thursday
Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
Yes, the security issues are pervasive. Read "Ajax Security" by Billy Hoffman @ SPI Dynamics (now HP) for a great review of these concerns. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "Dissent is the purest form of patriotism." --Thomas Jefferson On Feb 8, 2008, at 11:20 AM, shawn gorrell wrote: Charlie, my main issues with AJAX are dealing with cross-browser issues, and security. AJAX exposes some of the most annoying cross-browser DHTML sort of things. Using libraries and frameworks can insulate you from that to a degree, but not always completely. I've got a customer doing things with Google Maps and we've had some differences between IE and FF that have been difficult to solve. People have gotten so excited about using AJAX that they have forgotten basic security principles (things like validating input). I recently read an article that discussed the security holes in the more commonly used frameworks, so the issue isn't just with roll your own AJAX, it is more pervasive. But, those things said, ultimately I think it is a step forward in making a richer browser experience (not as much as Flex though). There are just some fleas on the dog that folks should be aware of in advance. - Original Message From: Charlie Arehart <[EMAIL PROTECTED]> To: discussion@acfug.org Sent: Friday, February 8, 2008 10:58:47 AM Subject: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) That seems a curious statement, Forrest, and I'm sure some would enjoy a bit of discussion on it. For those who weren't following closely, he had asked first about some challenges using a CFX_google custom tag, and in the replies he was told that it's quite old and instead Google favors some Ajax APIs instead. Forrest replies he hoped the "Ajax thing would just go away". So, do you realize that Ajax is merely a way to make browsers smarter? It enables them to make calls to remote servers. Sure, we could do that in the past with Java applets, ActiveX controls, Flash, and even plain Javascript. And we could of course do it from the server using either REST or SOAP apis. Ajax is just a simplified API to enable that very javascript-based client-server interaction. For those who need to talk to servers from clients (either because they can't or don't want to involve a server to proxy the communications for them), we don't want them to go back to Java and ActiveX, do we? :-) And while we may wish everyone would use Flex, it's just not likely. Many will, for the much larger problem space it solves, but for the average web developer, it's not really as simple as dropping in some AJAX API calls. If Google (or other vendors) want to create a way for people to connect, and they want to make it work regardless of what web app server platform people use (and as well for those who have no server), and they provide an Ajax-based API to what (I suppose are otherwise REST-based) services, that's seems to be just being smart, widening the pool of possible users. Look at it another way (for us CFers), they (like Amazon, Ebay, and others) could instead just document calling from Java, ASP.NET, and PHP. They tend to not go that one step further to include CF. At least by their offering a platform-agnostic solution that doesn't require any server-side processing, they've helped more than just those who have no server to make calls from. Just some thoughts. I'm not fanatical about all this, and I may well myself be missing a point. But since this is the ACFUG "discussion" list, that comment seemed one worth discussing. :-) /charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Forrest C. Gilmore Sent: Thursday, February 07, 2008 5:30 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] JVM version and ColdFusion Thanks, Charlie. Your comments were very helpful! I have been hoping that this AJAX thing would just go away, as it seems to be to be a step backwards, but it looks like it will be around a while longer! Forrest C. Gilmore Charlie Arehart wrote: > Forrest, I realize you've perhaps abandoned the effort, but I'll throw > out some clarification if it's useful, first about the JRE/CFX issue, > then about calling the google search APIs. - Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - -
Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
Forrest, There's nothing that says that web services used in AJAX have to be consumed only by connections initiated by Javascript. The only part of traditional AJAX that "requires" Javascript is the manipulation of the browser content (and that's only because it enables content to change on the page without having to reload the entire page). If you are willing to have the entire page reload (not necessarily a bad thing, depends on your situation and requirements), then there's no reason why you can't hit those web services APIs with CF and then display the results to the user. On 2/8/08, Forrest C. Gilmore <[EMAIL PROTECTED]> wrote: > > I guess my somewhat negative attitude toward AJAX has to do with its > Javascript underpinings. -- Howard Fore, [EMAIL PROTECTED] "The universe tends toward maximum irony. Don't push it." - Jeff Atwood - Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
RE: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
Just a quick .02 from me. Your last statement grabbed my attention... "Do you think AJAX is or will be as useful and powerful as CF?" I think maybe you're looking at AJAX wrong. AJAX is something that is typically used in conjunction with CF, PHP, ASP.NET, etc. AJAX is there to do a couple of things: 1. Improve the interface/interaction for end users 2. Reduce the amount of network traffic (less reloading of images, etc) 3. Create a more universal interface (use of JSON or XML can be used among many server platforms including CF, PHP, ASP.NET, etc) Chances are, you're still going to be using CF at least as a back end to retrieve, store, validate, etc. You will probably even use it for the front end and intermingle your AJAX with your CF. That is the most common usage of AJAX. If you're scared of it a bit, I would suggest using existing libraries to ease your pain. There are several good ones out there, my favorite being: http://www.jquery.com/ http://prototypejs.org/ So, don't think of AJAX as replacing languages, think about it as accompanying them. And, a thought on the Google interfaces or even other ones...just because you hear that Google has an AJAX interface doesn't mean you can't use ColdFusion to grab the data and parse it just as Javascript does! AJAX is just a method for retrieving data. Think of it as cfhttp in javascript. Anything you can call through AJAX, you can call through a CFHTTP (or even a browser's own url)... Hope that helps a little. Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Forrest C. Gilmore Sent: Friday, February 08, 2008 3:03 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) Some interesting benchmark results! Also thanks for noting the security issues, etc. with AJAX and Javascript. I guess my somewhat negative attitude toward AJAX has to do with its Javascript underpinings. It's Javascript that I tend to dislike. I mean, I like being able to write code that runs in the browser and lets you do things like data validation and build "smarts" into the page, but it is so quirky, case sensitive, and difficult to troubleshoot that it's very time-consuming to use. One good thing is that it's easy to copy and use code developed by others. However, users can easily turn off Javascript in their browsers, and many do so because of the "bad" things some sites do with it. The thing I love about CFML is that it uses tag-based code that is generally very understandable, encapsulates most of the underlying complexity, and gives very helpful error messages. I've not found any other web page coding language that is as easy to use. Granted, it has it's limitations, but I still prefer to use CFML and CFX code wherever I can. One downside, however, is that some CF functions actually generate Javascript code in the HTML page returned from the server. At least I don't have to worry about the syntax of that JS code! Now, if Google and others want to design services that I can easily invoke in a way that is not prone to error, or at least gives clear error messages, I don't care whether it's AJAX or anything else. Have you found these AJAX APIs easy to implement and error-free? While I'm in no way a professional programmer, over the years I have used Fortran, Dartmouth Basic, MS Basic, Visual Basic, Delphi (Pascal based, originally), and Lotus Notes Script (similar to Javascript and Basic), in addition to CF Script and CFML. My professional career was ending as the C languages and Java were coming to the forefront, so I didn't see the need to get into these technologies. When CF came along, I felt that Jeremy Allaire and Ben Forta were really onto something that would make it possible for amateurs like me to get some useful work done using the web. Do you think AJAX is or will be as useful and powerful as CF? Forrest C. Gilmore Darin Kohles wrote: > Speaking of Benchmarks: http://www.jamesward.org/census/ > > On Feb 8, 2008 11:52 AM, Darin Kohles <[EMAIL PROTECTED]> wrote: > >> You can always build a Flex (or Flash for that matter) application >> that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0 >> will work) that has nothing on the stage with wmode="transparent". >> This application can now act as your portal between the browser via >> JS using the External Interface (or fsCommand going back to Flash ~6). >> Then your "invisible" Flex/Flash app can leverage all the connection >> types available (AMF/SecureAMF, Webservice, HttpService etc...) in a >> manner that is not easily accessible to any hacker (you can hide all >> kinds of security checks within this app). >> >&
Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
Some interesting benchmark results! Also thanks for noting the security issues, etc. with AJAX and Javascript. I guess my somewhat negative attitude toward AJAX has to do with its Javascript underpinings. It's Javascript that I tend to dislike. I mean, I like being able to write code that runs in the browser and lets you do things like data validation and build "smarts" into the page, but it is so quirky, case sensitive, and difficult to troubleshoot that it's very time-consuming to use. One good thing is that it's easy to copy and use code developed by others. However, users can easily turn off Javascript in their browsers, and many do so because of the "bad" things some sites do with it. The thing I love about CFML is that it uses tag-based code that is generally very understandable, encapsulates most of the underlying complexity, and gives very helpful error messages. I've not found any other web page coding language that is as easy to use. Granted, it has it's limitations, but I still prefer to use CFML and CFX code wherever I can. One downside, however, is that some CF functions actually generate Javascript code in the HTML page returned from the server. At least I don't have to worry about the syntax of that JS code! Now, if Google and others want to design services that I can easily invoke in a way that is not prone to error, or at least gives clear error messages, I don't care whether it's AJAX or anything else. Have you found these AJAX APIs easy to implement and error-free? While I'm in no way a professional programmer, over the years I have used Fortran, Dartmouth Basic, MS Basic, Visual Basic, Delphi (Pascal based, originally), and Lotus Notes Script (similar to Javascript and Basic), in addition to CF Script and CFML. My professional career was ending as the C languages and Java were coming to the forefront, so I didn't see the need to get into these technologies. When CF came along, I felt that Jeremy Allaire and Ben Forta were really onto something that would make it possible for amateurs like me to get some useful work done using the web. Do you think AJAX is or will be as useful and powerful as CF? Forrest C. Gilmore Darin Kohles wrote: Speaking of Benchmarks: http://www.jamesward.org/census/ On Feb 8, 2008 11:52 AM, Darin Kohles <[EMAIL PROTECTED]> wrote: You can always build a Flex (or Flash for that matter) application that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0 will work) that has nothing on the stage with wmode="transparent". This application can now act as your portal between the browser via JS using the External Interface (or fsCommand going back to Flash ~6). Then your "invisible" Flex/Flash app can leverage all the connection types available (AMF/SecureAMF, Webservice, HttpService etc...) in a manner that is not easily accessible to any hacker (you can hide all kinds of security checks within this app). I've always wanted to do a bench mark of this type of app side by side with standard Ajax, but the bottom line is that the only browser specific code would be in how the returned data is applied to effect the client content. On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote: Charlie, my main issues with AJAX are dealing with cross-browser issues, and security. AJAX exposes some of the most annoying cross-browser DHTML sort of things. Using libraries and frameworks can insulate you from that to a degree, but not always completely. I've got a customer doing things with Google Maps and we've had some differences between IE and FF that have been difficult to solve. People have gotten so excited about using AJAX that they have forgotten basic security principles (things like validating input). I recently read an article that discussed the security holes in the more commonly used frameworks, so the issue isn't just with roll your own AJAX, it is more pervasive. But, those things said, ultimately I think it is a step forward in making a richer browser experience (not as much as Flex though). There are just some fleas on the dog that folks should be aware of in advance. - Original Message ---- From: Charlie Arehart <[EMAIL PROTECTED]> To: discussion@acfug.org Sent: Friday, February 8, 2008 10:58:47 AM Subject: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) That seems a curious statement, Forrest, and I'm sure some would enjoy a bit of discussion on it. For those who weren't following closely, he had asked first about some challenges using a CFX_google custom tag, and in the replies he was told that it's quite old and instead Google favors some Ajax APIs instead. Forrest replies he hoped the "Ajax thing would just go away". So, do you realize that Ajax is merely a way to m
RE: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
Hello everyone, My client is looking for a flex developer. They are located in the Orlando market. Anyone interested or know anyone I could speak with? Comp: $70-95k Role: extend our Flex-based CDN Dashboard application. Requirements (must have all): Experience developing in Flex 2.0 Experience with ActionScript 3 Experience connecting Flex apps to REST or SOAP web services Desired (must have one or two): Experience with Flex Charting Experience with Flash Raw Sockets Basic Photoshop skills Basic server-side Apache/PHP/MySQL skills Optional (will learn but need not know already): Experience with geographic/marketing data Thanks, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Kohles Sent: Friday, February 08, 2008 11:08 AM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) Speaking of Benchmarks: http://www.jamesward.org/census/ On Feb 8, 2008 11:52 AM, Darin Kohles <[EMAIL PROTECTED]> wrote: > You can always build a Flex (or Flash for that matter) application > that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0 > will work) that has nothing on the stage with wmode="transparent". > This application can now act as your portal between the browser via JS > using the External Interface (or fsCommand going back to Flash ~6). > Then your "invisible" Flex/Flash app can leverage all the connection > types available (AMF/SecureAMF, Webservice, HttpService etc...) in a > manner that is not easily accessible to any hacker (you can hide all > kinds of security checks within this app). > > I've always wanted to do a bench mark of this type of app side by side > with standard Ajax, but the bottom line is that the only browser > specific code would be in how the returned data is applied to effect > the client content. > > > On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote: > > > > Charlie, my main issues with AJAX are dealing with cross-browser > > issues, and security. > > > > AJAX exposes some of the most annoying cross-browser DHTML sort of > > things. Using libraries and frameworks can insulate you from that to > > a degree, but not always completely. I've got a customer doing > > things with Google Maps and we've had some differences between IE > > and FF that have been difficult to solve. > > > > People have gotten so excited about using AJAX that they have > > forgotten basic security principles (things like validating input). > > I recently read an article that discussed the security holes in the > > more commonly used frameworks, so the issue isn't just with roll > > your own AJAX, it is more pervasive. > > > > But, those things said, ultimately I think it is a step forward in > > making a richer browser experience (not as much as Flex though). > > There are just some fleas on the dog that folks should be aware of > > in advance. > > > > > > > > - Original Message > > From: Charlie Arehart <[EMAIL PROTECTED]> > > To: discussion@acfug.org > > Sent: Friday, February 8, 2008 10:58:47 AM > > Subject: [ACFUG Discuss] will Ajax go away (was JVM version and > > ColdFusion) > > > > That seems a curious statement, Forrest, and I'm sure some would > > enjoy a bit of discussion on it. For those who weren't following > > closely, he had asked first about some challenges using a CFX_google > > custom tag, and in the replies he was told that it's quite old and > > instead Google favors some Ajax APIs instead. Forrest replies he > > hoped the "Ajax thing would just go away". > > > > So, do you realize that Ajax is merely a way to make browsers > > smarter? It enables them to make calls to remote servers. Sure, we > > could do that in the past with Java applets, ActiveX controls, > > Flash, and even plain Javascript. And we could of course do it from > > the server using either REST or SOAP apis. Ajax is just a simplified > > API to enable that very javascript-based client-server interaction. > > For those who need to talk to servers from clients (either because > > they can't or don't want to involve a server to proxy the > > communications for them), we don't want them to go back to Java and > > ActiveX, do we? :-) And while we may wish everyone would use Flex, > > it's just not likely. Many will, for the much larger problem space > > it solves, but for the average web developer, it's not really as > > simple as dropping in some AJAX API calls. > > > > I
Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
Speaking of Benchmarks: http://www.jamesward.org/census/ On Feb 8, 2008 11:52 AM, Darin Kohles <[EMAIL PROTECTED]> wrote: > You can always build a Flex (or Flash for that matter) application > that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0 > will work) that has nothing on the stage with wmode="transparent". > This application can now act as your portal between the browser via JS > using the External Interface (or fsCommand going back to Flash ~6). > Then your "invisible" Flex/Flash app can leverage all the connection > types available (AMF/SecureAMF, Webservice, HttpService etc...) in a > manner that is not easily accessible to any hacker (you can hide all > kinds of security checks within this app). > > I've always wanted to do a bench mark of this type of app side by side > with standard Ajax, but the bottom line is that the only browser > specific code would be in how the returned data is applied to effect > the client content. > > > On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote: > > > > Charlie, my main issues with AJAX are dealing with cross-browser issues, and > > security. > > > > AJAX exposes some of the most annoying cross-browser DHTML sort of things. > > Using libraries and frameworks can insulate you from that to a degree, but > > not always completely. I've got a customer doing things with Google Maps and > > we've had some differences between IE and FF that have been difficult to > > solve. > > > > People have gotten so excited about using AJAX that they have forgotten > > basic security principles (things like validating input). I recently read an > > article that discussed the security holes in the more commonly used > > frameworks, so the issue isn't just with roll your own AJAX, it is more > > pervasive. > > > > But, those things said, ultimately I think it is a step forward in making a > > richer browser experience (not as much as Flex though). There are just some > > fleas on the dog that folks should be aware of in advance. > > > > > > > > - Original Message > > From: Charlie Arehart <[EMAIL PROTECTED]> > > To: discussion@acfug.org > > Sent: Friday, February 8, 2008 10:58:47 AM > > Subject: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) > > > > That seems a curious statement, Forrest, and I'm sure some would enjoy a > > bit of discussion on it. For those who weren't following closely, he had > > asked first about some challenges using a CFX_google custom tag, and in the > > replies he was told that it's quite old and instead Google favors some Ajax > > APIs instead. Forrest replies he hoped the "Ajax thing would just go away". > > > > So, do you realize that Ajax is merely a way to make browsers smarter? It > > enables them to make calls to remote servers. Sure, we could do that in the > > past with Java applets, ActiveX controls, Flash, and even plain Javascript. > > And we could of course do it from the server using either REST or SOAP apis. > > Ajax is just a simplified API to enable that very javascript-based > > client-server interaction. For those who need to talk to servers from > > clients (either because they can't or don't want to involve a server to > > proxy the communications for them), we don't want them to go back to Java > > and ActiveX, do we? :-) And while we may wish everyone would use Flex, it's > > just not likely. Many will, for the much larger problem space it solves, but > > for the average web developer, it's not really as simple as dropping in some > > AJAX API calls. > > > > If Google (or other vendors) want to create a way for people to connect, and > > they want to make it work regardless of what web app server platform people > > use (and as well for those who have no server), and they provide an > > Ajax-based API to what (I suppose are otherwise REST-based) services, that's > > seems to be just being smart, widening the pool of possible users. > > > > Look at it another way (for us CFers), they (like Amazon, Ebay, and others) > > could instead just document calling from Java, ASP.NET, and PHP. They tend > > to not go that one step further to include CF. At least by their offering a > > platform-agnostic solution that doesn't require any server-side processing, > > they've helped more than just those who have no server to make calls from. > > > > Just some thoughts. I'm not fanatical about all this, and I may well myself > > be missing a p
Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
You can always build a Flex (or Flash for that matter) application that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0 will work) that has nothing on the stage with wmode="transparent". This application can now act as your portal between the browser via JS using the External Interface (or fsCommand going back to Flash ~6). Then your "invisible" Flex/Flash app can leverage all the connection types available (AMF/SecureAMF, Webservice, HttpService etc...) in a manner that is not easily accessible to any hacker (you can hide all kinds of security checks within this app). I've always wanted to do a bench mark of this type of app side by side with standard Ajax, but the bottom line is that the only browser specific code would be in how the returned data is applied to effect the client content. On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote: > > Charlie, my main issues with AJAX are dealing with cross-browser issues, and > security. > > AJAX exposes some of the most annoying cross-browser DHTML sort of things. > Using libraries and frameworks can insulate you from that to a degree, but > not always completely. I've got a customer doing things with Google Maps and > we've had some differences between IE and FF that have been difficult to > solve. > > People have gotten so excited about using AJAX that they have forgotten > basic security principles (things like validating input). I recently read an > article that discussed the security holes in the more commonly used > frameworks, so the issue isn't just with roll your own AJAX, it is more > pervasive. > > But, those things said, ultimately I think it is a step forward in making a > richer browser experience (not as much as Flex though). There are just some > fleas on the dog that folks should be aware of in advance. > > > > - Original Message > From: Charlie Arehart <[EMAIL PROTECTED]> > To: discussion@acfug.org > Sent: Friday, February 8, 2008 10:58:47 AM > Subject: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) > > That seems a curious statement, Forrest, and I'm sure some would enjoy a > bit of discussion on it. For those who weren't following closely, he had > asked first about some challenges using a CFX_google custom tag, and in the > replies he was told that it's quite old and instead Google favors some Ajax > APIs instead. Forrest replies he hoped the "Ajax thing would just go away". > > So, do you realize that Ajax is merely a way to make browsers smarter? It > enables them to make calls to remote servers. Sure, we could do that in the > past with Java applets, ActiveX controls, Flash, and even plain Javascript. > And we could of course do it from the server using either REST or SOAP apis. > Ajax is just a simplified API to enable that very javascript-based > client-server interaction. For those who need to talk to servers from > clients (either because they can't or don't want to involve a server to > proxy the communications for them), we don't want them to go back to Java > and ActiveX, do we? :-) And while we may wish everyone would use Flex, it's > just not likely. Many will, for the much larger problem space it solves, but > for the average web developer, it's not really as simple as dropping in some > AJAX API calls. > > If Google (or other vendors) want to create a way for people to connect, and > they want to make it work regardless of what web app server platform people > use (and as well for those who have no server), and they provide an > Ajax-based API to what (I suppose are otherwise REST-based) services, that's > seems to be just being smart, widening the pool of possible users. > > Look at it another way (for us CFers), they (like Amazon, Ebay, and others) > could instead just document calling from Java, ASP.NET, and PHP. They tend > to not go that one step further to include CF. At least by their offering a > platform-agnostic solution that doesn't require any server-side processing, > they've helped more than just those who have no server to make calls from. > > Just some thoughts. I'm not fanatical about all this, and I may well myself > be missing a point. But since this is the ACFUG "discussion" list, that > comment seemed one worth discussing. :-) > > /charlie > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Forrest C. > Gilmore > Sent: Thursday, February 07, 2008 5:30 PM > To: discussion@acfug.org > Subject: Re: [ACFUG Discuss] JVM version and ColdFusion > > Thanks, Charlie. Your comments were very helpful! > > I have been hoping that this AJAX thing would
Re: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
Charlie, my main issues with AJAX are dealing with cross-browser issues, and security. AJAX exposes some of the most annoying cross-browser DHTML sort of things. Using libraries and frameworks can insulate you from that to a degree, but not always completely. I've got a customer doing things with Google Maps and we've had some differences between IE and FF that have been difficult to solve. People have gotten so excited about using AJAX that they have forgotten basic security principles (things like validating input). I recently read an article that discussed the security holes in the more commonly used frameworks, so the issue isn't just with roll your own AJAX, it is more pervasive. But, those things said, ultimately I think it is a step forward in making a richer browser experience (not as much as Flex though). There are just some fleas on the dog that folks should be aware of in advance. - Original Message From: Charlie Arehart <[EMAIL PROTECTED]> To: discussion@acfug.org Sent: Friday, February 8, 2008 10:58:47 AM Subject: [ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion) That seems a curious statement, Forrest, and I'm sure some would enjoy a bit of discussion on it. For those who weren't following closely, he had asked first about some challenges using a CFX_google custom tag, and in the replies he was told that it's quite old and instead Google favors some Ajax APIs instead. Forrest replies he hoped the "Ajax thing would just go away". So, do you realize that Ajax is merely a way to make browsers smarter? It enables them to make calls to remote servers. Sure, we could do that in the past with Java applets, ActiveX controls, Flash, and even plain Javascript. And we could of course do it from the server using either REST or SOAP apis. Ajax is just a simplified API to enable that very javascript-based client-server interaction. For those who need to talk to servers from clients (either because they can't or don't want to involve a server to proxy the communications for them), we don't want them to go back to Java and ActiveX, do we? :-) And while we may wish everyone would use Flex, it's just not likely. Many will, for the much larger problem space it solves, but for the average web developer, it's not really as simple as dropping in some AJAX API calls. If Google (or other vendors) want to create a way for people to connect, and they want to make it work regardless of what web app server platform people use (and as well for those who have no server), and they provide an Ajax-based API to what (I suppose are otherwise REST-based) services, that's seems to be just being smart, widening the pool of possible users. Look at it another way (for us CFers), they (like Amazon, Ebay, and others) could instead just document calling from Java, ASP.NET, and PHP. They tend to not go that one step further to include CF. At least by their offering a platform-agnostic solution that doesn't require any server-side processing, they've helped more than just those who have no server to make calls from. Just some thoughts. I'm not fanatical about all this, and I may well myself be missing a point. But since this is the ACFUG "discussion" list, that comment seemed one worth discussing. :-) /charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Forrest C. Gilmore Sent: Thursday, February 07, 2008 5:30 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] JVM version and ColdFusion Thanks, Charlie. Your comments were very helpful! I have been hoping that this AJAX thing would just go away, as it seems to be to be a step backwards, but it looks like it will be around a while longer! Forrest C. Gilmore Charlie Arehart wrote: > Forrest, I realize you've perhaps abandoned the effort, but I'll throw > out some clarification if it's useful, first about the JRE/CFX issue, > then about calling the google search APIs. - Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ---
[ACFUG Discuss] will Ajax go away (was JVM version and ColdFusion)
That seems a curious statement, Forrest, and I'm sure some would enjoy a bit of discussion on it. For those who weren't following closely, he had asked first about some challenges using a CFX_google custom tag, and in the replies he was told that it's quite old and instead Google favors some Ajax APIs instead. Forrest replies he hoped the "Ajax thing would just go away". So, do you realize that Ajax is merely a way to make browsers smarter? It enables them to make calls to remote servers. Sure, we could do that in the past with Java applets, ActiveX controls, Flash, and even plain Javascript. And we could of course do it from the server using either REST or SOAP apis. Ajax is just a simplified API to enable that very javascript-based client-server interaction. For those who need to talk to servers from clients (either because they can't or don't want to involve a server to proxy the communications for them), we don't want them to go back to Java and ActiveX, do we? :-) And while we may wish everyone would use Flex, it's just not likely. Many will, for the much larger problem space it solves, but for the average web developer, it's not really as simple as dropping in some AJAX API calls. If Google (or other vendors) want to create a way for people to connect, and they want to make it work regardless of what web app server platform people use (and as well for those who have no server), and they provide an Ajax-based API to what (I suppose are otherwise REST-based) services, that's seems to be just being smart, widening the pool of possible users. Look at it another way (for us CFers), they (like Amazon, Ebay, and others) could instead just document calling from Java, ASP.NET, and PHP. They tend to not go that one step further to include CF. At least by their offering a platform-agnostic solution that doesn't require any server-side processing, they've helped more than just those who have no server to make calls from. Just some thoughts. I'm not fanatical about all this, and I may well myself be missing a point. But since this is the ACFUG "discussion" list, that comment seemed one worth discussing. :-) /charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Forrest C. Gilmore Sent: Thursday, February 07, 2008 5:30 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] JVM version and ColdFusion Thanks, Charlie. Your comments were very helpful! I have been hoping that this AJAX thing would just go away, as it seems to be to be a step backwards, but it looks like it will be around a while longer! Forrest C. Gilmore Charlie Arehart wrote: > Forrest, I realize you've perhaps abandoned the effort, but I'll throw > out some clarification if it's useful, first about the JRE/CFX issue, > then about calling the google search APIs. - Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -