Re: [flexcoders] Re: Securely Interfacing Between Flex and Databases
On Wednesday 21 May 2008, Battershall, Jeff wrote: > Yes, but we're talking on YOUR network where you have WebScarab or other > such tool installed. It's not as though ALL your bank's transactions, > regardless of intended recipient, are now visible to you. No, of course not. The OP asked "/i/ can easily see the data of /my/ bank transfers" (my emp.). -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.comYahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/flexcoders/join (Yahoo! ID required) <*> To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
[flexcoders] Re: Securely Interfacing Between Flex and Databases
Kenny, are you saying you want to implement security *within* your Flex app? I think you'd have serious security holes with that (your decompilation concern, for one). Typically security would be handled at the client-server level, by hosting your SWF on a server that has been configured to accept connections over https (e.g., https://myserver.com/myapp), connecting to your app via HTTPS from a browser, and designing your Flex app to connect to other servers over HTTPS as well. Web servers and browsers already have built-in implementations of RSA, SSL/TLS, and the other "industry standards" mentioned in other posts so there's really no need to implement them yourself. The same SWF (with certain design considerations taken into account, of course) can be accessed on the web non-securely (over HTTP), or securely (over HTTPS). HTH, Doug --- In flexcoders@yahoogroups.com, "kenny14390" <[EMAIL PROTECTED]> wrote: > > So the bottom line is to use an algorithm like RSA? To take a much > simpler example, if the Flex app receives the encrypted data "1234" > and it wishes to use that data, it must first decrypt it. So it > performs the decryption in some AS and now you have the decrypted data > that you wanted. My question now is, if someone decompiles your app > they can see your decryption method and thus decode the data on their > own. Nothing is private in the Flex app due to the decompilation concern. > > Regarding SSL, I suppose this is out of the question if we're talking > about a Facebook application. I don't have much control over their > security. > > --- In flexcoders@yahoogroups.com, "andrewwestberg" > wrote: > > > > I think you're confusing simple secret key encryption (DES, AES, > > etc..) with public/private key encryption (RSA). > > > > In secret-key encryption if an attacker steals the data and guesses or > > brute forces the secret key, they can see the data. > > > > In public/private key encryption, a message you send to the server is > > encrypted by a public key and can ONLY be decrypted by a private key > > known only to the webserver (the certificate you bought from verisign, > > thawte, etc...) This is how when you sign onto paypal or some other > > site over https, you don't have to worry about your credit-card being > > stolen in transmission. Sitting in some DB at the company where > > employees can get at it, you should worry, but during transmission, > > it's unlikely to get cracked. > > > > -Andrew > > >
RE: [flexcoders] Re: Securely Interfacing Between Flex and Databases
Yes, but we're talking on YOUR network where you have WebScarab or other such tool installed. It's not as though ALL your bank's transactions, regardless of intended recipient, are now visible to you. -Original Message- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Tom Chiverton Sent: Wednesday, May 21, 2008 4:41 AM To: flexcoders@yahoogroups.com Subject: Re: [flexcoders] Re: Securely Interfacing Between Flex and Databases On Tuesday 20 May 2008, David Pariente wrote: > So u mean i can easily see the data of my bank transfers just using an > SSL proxy, like WebScarab Yes, exactly. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.comYahoo! Groups Links
Re: [flexcoders] Re: Securely Interfacing Between Flex and Databases
On Tuesday 20 May 2008, David Pariente wrote: > So u mean i can easily see the data of my bank transfers just using an SSL > proxy, like WebScarab Yes, exactly. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.comYahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/flexcoders/join (Yahoo! ID required) <*> To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
Re: [flexcoders] Re: Securely Interfacing Between Flex and Databases
If your encryption can be broken just because somebody has the source to your algorithm, then it's worthless already =) That's why we've got standard algorithms that rely on keys in the first place. -J On Wed, May 21, 2008 at 2:25 PM, kenny14390 <[EMAIL PROTECTED]> wrote: > So the bottom line is to use an algorithm like RSA? To take a much > simpler example, if the Flex app receives the encrypted data "1234" > and it wishes to use that data, it must first decrypt it. So it > performs the decryption in some AS and now you have the decrypted data > that you wanted. My question now is, if someone decompiles your app > they can see your decryption method and thus decode the data on their > own. Nothing is private in the Flex app due to the decompilation concern. > > Regarding SSL, I suppose this is out of the question if we're talking > about a Facebook application. I don't have much control over their > security. > > > --- In flexcoders@yahoogroups.com , > "andrewwestberg" > <[EMAIL PROTECTED]> wrote: > > > > I think you're confusing simple secret key encryption (DES, AES, > > etc..) with public/private key encryption (RSA). > > > > In secret-key encryption if an attacker steals the data and guesses or > > brute forces the secret key, they can see the data. > > > > In public/private key encryption, a message you send to the server is > > encrypted by a public key and can ONLY be decrypted by a private key > > known only to the webserver (the certificate you bought from verisign, > > thawte, etc...) This is how when you sign onto paypal or some other > > site over https, you don't have to worry about your credit-card being > > stolen in transmission. Sitting in some DB at the company where > > employees can get at it, you should worry, but during transmission, > > it's unlikely to get cracked. > > > > -Andrew > > > > > -- "Therefore, send not to know For whom the bell tolls. It tolls for thee." :: Josh 'G-Funk' McDonald :: 0437 221 380 :: [EMAIL PROTECTED]
[flexcoders] Re: Securely Interfacing Between Flex and Databases
So the bottom line is to use an algorithm like RSA? To take a much simpler example, if the Flex app receives the encrypted data "1234" and it wishes to use that data, it must first decrypt it. So it performs the decryption in some AS and now you have the decrypted data that you wanted. My question now is, if someone decompiles your app they can see your decryption method and thus decode the data on their own. Nothing is private in the Flex app due to the decompilation concern. Regarding SSL, I suppose this is out of the question if we're talking about a Facebook application. I don't have much control over their security. --- In flexcoders@yahoogroups.com, "andrewwestberg" <[EMAIL PROTECTED]> wrote: > > I think you're confusing simple secret key encryption (DES, AES, > etc..) with public/private key encryption (RSA). > > In secret-key encryption if an attacker steals the data and guesses or > brute forces the secret key, they can see the data. > > In public/private key encryption, a message you send to the server is > encrypted by a public key and can ONLY be decrypted by a private key > known only to the webserver (the certificate you bought from verisign, > thawte, etc...) This is how when you sign onto paypal or some other > site over https, you don't have to worry about your credit-card being > stolen in transmission. Sitting in some DB at the company where > employees can get at it, you should worry, but during transmission, > it's unlikely to get cracked. > > -Andrew >
Re: [flexcoders] Re: Securely Interfacing Between Flex and Databases
On Tue, May 20, 2008 at 4:54 PM, Aaron Miller <[EMAIL PROTECTED]> wrote: > Are you using any kind of token based authentication to serve the > data? All the SSL in the world wouldn't stop someone from just sending > POST or GET vars to your php scripts and getting the data back in nice > pretty XML. Decompiling the SWF would make it real easy to figure out > what vars to send where. If users do not have to login at all, then > perhaps you could do something with PHP sessions to verify the source > of the requests before serving any data. > > Regards, > ~Aaron > > On Tue, May 20, 2008 at 4:25 PM, andrewwestberg > <[EMAIL PROTECTED]> wrote: >> I think you're confusing simple secret key encryption (DES, AES, >> etc..) with public/private key encryption (RSA). >> >> In secret-key encryption if an attacker steals the data and guesses or >> brute forces the secret key, they can see the data. >> >> In public/private key encryption, a message you send to the server is >> encrypted by a public key and can ONLY be decrypted by a private key >> known only to the webserver (the certificate you bought from verisign, >> thawte, etc...) This is how when you sign onto paypal or some other >> site over https, you don't have to worry about your credit-card being >> stolen in transmission. Sitting in some DB at the company where >> employees can get at it, you should worry, but during transmission, >> it's unlikely to get cracked. >> >> -Andrew >> >> > > > > -- > Aaron Miller > Chief Technology Officer > Open Base Interactive, LLC. > [EMAIL PROTECTED] > http://www.openbaseinteractive.com > -- Aaron Miller Chief Technology Officer Open Base Interactive, LLC. [EMAIL PROTECTED] http://www.openbaseinteractive.com
[flexcoders] Re: Securely Interfacing Between Flex and Databases
I think you're confusing simple secret key encryption (DES, AES, etc..) with public/private key encryption (RSA). In secret-key encryption if an attacker steals the data and guesses or brute forces the secret key, they can see the data. In public/private key encryption, a message you send to the server is encrypted by a public key and can ONLY be decrypted by a private key known only to the webserver (the certificate you bought from verisign, thawte, etc...) This is how when you sign onto paypal or some other site over https, you don't have to worry about your credit-card being stolen in transmission. Sitting in some DB at the company where employees can get at it, you should worry, but during transmission, it's unlikely to get cracked. -Andrew
Re: [flexcoders] Re: Securely Interfacing Between Flex and Databases
So u mean i can easily see the data of my bank transfers just using an SSL proxy, like WebScarab :O - Mensaje original De: Tom Chiverton <[EMAIL PROTECTED]> Para: flexcoders@yahoogroups.com Enviado: martes, 20 de mayo, 2008 17:40:59 Asunto: Re: [flexcoders] Re: Securely Interfacing Between Flex and Databases On Tuesday 20 May 2008, David Pariente wrote: > when using SSL, maybe u > could guess what kind of data is sent or receive, but u would never be able > to seen actual data. This is a common mistake. It is perfectly possible to configure an SSL* proxy, like WebScarab, and use it to inspect/modify the content of the SSL* requests. -- Tom Chiverton *I'm sure we all really mean 'TLS' here, right ? This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.comYahoo! Groups Links __ Enviado desde Correo Yahoo! La bandeja de entrada más inteligente.
Re: [flexcoders] Re: Securely Interfacing Between Flex and Databases
On Tuesday 20 May 2008, David Pariente wrote: > when using SSL, maybe u > could guess what kind of data is sent or receive, but u would never be able > to seen actual data. This is a common mistake. It is perfectly possible to configure an SSL* proxy, like WebScarab, and use it to inspect/modify the content of the SSL* requests. -- Tom Chiverton *I'm sure we all really mean 'TLS' here, right ? This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.comYahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/flexcoders/join (Yahoo! ID required) <*> To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
Re: [flexcoders] Re: Securely Interfacing Between Flex and Databases
what the heck did you use before Flex that was so uber secure? This is the world wide web here we are discussing, eh? DK On Mon, May 19, 2008 at 8:43 PM, kenny14390 <[EMAIL PROTECTED]> wrote: > Well the concern is that no matter how you choose to encrypt/decrypt > information, a Flash movie can always be decompiled and your > decryption method is caught with its pants down, allowing users to > find out how to view sensitive material that they're not supposed to > be looking at. So how are we supposed to move this kind of data in and > out of a Flex application without the worry? Does SSL even help? The > concern is not the forging of data, but rather the interception and > decryption of it. > > --- In flexcoders@yahoogroups.com , > "andrewwestberg" > > <[EMAIL PROTECTED]> wrote: > > > > Simply having SSL (https) enabled on your php webserver will help. > > Another methodology for accessing DB data is using AMFPHP (although I > > haven't used it myself). > > > > -Andrew > > > > > -- Douglas Knudsen http://www.cubicleman.com this is my signature, like it?
Re: [flexcoders] Re: Securely Interfacing Between Flex and Databases
i guess SSL should help. If it helps thousands of banks around the globe, it should work for u too. Decompressing a SWF will not give any hint at all when using SSL, maybe u could guess what kind of data is sent or receive, but u would never be able to seen actual data. - Mensaje original De: kenny14390 <[EMAIL PROTECTED]> Para: flexcoders@yahoogroups.com Enviado: martes, 20 de mayo, 2008 4:43:39 Asunto: [flexcoders] Re: Securely Interfacing Between Flex and Databases Well the concern is that no matter how you choose to encrypt/decrypt information, a Flash movie can always be decompiled and your decryption method is caught with its pants down, allowing users to find out how to view sensitive material that they're not supposed to be looking at. So how are we supposed to move this kind of data in and out of a Flex application without the worry? Does SSL even help? The concern is not the forging of data, but rather the interception and decryption of it. --- In [EMAIL PROTECTED] ups.com, "andrewwestberg" wrote: > > Simply having SSL (https) enabled on your php webserver will help. > Another methodology for accessing DB data is using AMFPHP (although I > haven't used it myself). > > -Andrew > __ Enviado desde Correo Yahoo! La bandeja de entrada más inteligente.
RE: [flexcoders] Re: Securely Interfacing Between Flex and Databases
SSL is essential. Decompiling a swf isn't going to assist in decrypting SSL. You're thinking that SSL isn't good enough? AMF by itself just compresses the data - it doesn't implement any sort of encryption, AFAIK. -Original Message- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of kenny14390 Sent: Monday, May 19, 2008 10:44 PM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: Securely Interfacing Between Flex and Databases Well the concern is that no matter how you choose to encrypt/decrypt information, a Flash movie can always be decompiled and your decryption method is caught with its pants down, allowing users to find out how to view sensitive material that they're not supposed to be looking at. So how are we supposed to move this kind of data in and out of a Flex application without the worry? Does SSL even help? The concern is not the forging of data, but rather the interception and decryption of it. --- In flexcoders@yahoogroups.com, "andrewwestberg" <[EMAIL PROTECTED]> wrote: > > Simply having SSL (https) enabled on your php webserver will help. > Another methodology for accessing DB data is using AMFPHP (although I > haven't used it myself). > > -Andrew > -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.comYahoo! Groups Links
[flexcoders] Re: Securely Interfacing Between Flex and Databases
Well the concern is that no matter how you choose to encrypt/decrypt information, a Flash movie can always be decompiled and your decryption method is caught with its pants down, allowing users to find out how to view sensitive material that they're not supposed to be looking at. So how are we supposed to move this kind of data in and out of a Flex application without the worry? Does SSL even help? The concern is not the forging of data, but rather the interception and decryption of it. --- In flexcoders@yahoogroups.com, "andrewwestberg" <[EMAIL PROTECTED]> wrote: > > Simply having SSL (https) enabled on your php webserver will help. > Another methodology for accessing DB data is using AMFPHP (although I > haven't used it myself). > > -Andrew >
[flexcoders] Re: Securely Interfacing Between Flex and Databases
Simply having SSL (https) enabled on your php webserver will help. Another methodology for accessing DB data is using AMFPHP (although I haven't used it myself). -Andrew
[flexcoders] Re: Securely Interfacing Between Flex and Databases
I ask because security is not only a concern for my personal project, but also my employment responsibilities for my summer internship, so I want to hear how others deal with this issue. If you can help, I'd really appreciate the information. --- In flexcoders@yahoogroups.com, "kenny14390" <[EMAIL PROTECTED]> wrote: > > I've been using the following method for accessing databases in Flex: > > -HTTPService component connects to a PHP page on the same server and > sends any appropriate data values via the POST or GET method. > > -PHP page sets up a MySQL connection and performs the necessary > operations. > > -PHP writes any appropriate output values to the page in XML format. > > -HTTPService component follows up with the result by calling an > appropriate ActionScript function, passing in the ResultEvent for easy > XML parsing. > > This method works for me, but is there an easier way? More > importantly, is there a SECURER way? I fear that having these PHP > files is not only redundant but it also poses a security risk for SQL > injections or a sniffing man-in-the-middle attack. The data I'm > sending back and forth is not all that important compared to banking > information or something, but I'm still worried about security and it > would be good to know the proper way to do a task like this. > > Is this the only way to connect to a database? Is there a more secure > way? Thanks! >