harimack: all https is as safe as you can make it, with the following
caveats:
1. you NEED a signed cert from a root cert authority. This costs 100
dollars or more.
2. The designers of the https spec made some serious screwups way back
when but are now afraid to fix their mistakes. You may experience some
undue hardship because of this:
A. you don't show up in referral logs; anytime a https site has a
link to a non-http site, and you click on it, the browser will not
send a referrer header.
B. Many browsers just don't cache when https is involved, even if
you, the server, are saying that its perfectly all right to do so.
This can get annoying for your users and expensive on your bandwidth
bill real fast.
C. You should dive into your https settings on the jboss server and
just turn off the really old encryption standards - you should just
support TLS (SSL3 is an alias for that, I think), with at least 1024
bits for the handshake and 128 bits for the rest of the connection.
Really old SSL clients only support 40-bit encryption, which any
modern PC can brute force in a few hours. If such a client finds your
site, it's unlikely to work with GWT anyway, but they might just get
far enough to log in which isn't good at such a low encryption, of
course. Hence: Tell your JBoss server to not even offer that old
standard. It may already be configured that way, I don't know the
specifics.
On Sep 11, 12:11 am, harimack [EMAIL PROTECTED] wrote:
Thomas, Charlie,
thanks much for the details and pointers. I agree keeping sign-in and
signup separate from GWT app is a good approach, thanks for the
suggestion.
also, i tried this approcah today, if i switch on HTTPS/SSL on my
Jboss server which i am using to deploy my gwt app ( and turnoff
http ), all communication can happen over https. this will ensure all
comunication btw my client and server are safe, gwt or servlet.
am i correct in my assumption, please let me know.
thanks
Hari
On Sep 8, 3:07 am, Charlie Collins [EMAIL PROTECTED] wrote:
As Thomas stated, make sure you use HTTPS. Also, I am not sure if
this is the one you read or not
-http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecur...
- but it has some useful info (and notes https at the bottom, pointing
to another useful thread as well).
On Sep 7, 11:02 pm, harimack [EMAIL PROTECTED] wrote:
Hi All,
i am a new to Security, i am using GWT-RPC for login, i read the GWT
LoginFAQ, and see that they are recommending using GWT-RPC for login,
but my concern is, how secure is GWT-RPC over the wire, if some one is
sniffing, is the data protected over the wire ?. Can you please let me
know how would you approach login if you were using GWT-RPC.
thanks for the help
Hari
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
Google Web Toolkit group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---
