On Friday 25 Apr 2008, valdhor wrote:
True. But they would need to know the location (It is not in the
WSDL), the username and the password.
All of which are sent over the wire.
--
Tom Chiverton
Helping to widespreadedly exploit scalable interfaces
on: http://thefalken.livejournal.com
On Friday 25 Apr 2008, Randy Martin wrote:
I've never actually done this, but can't you encrypt the credentials
in Flex, send them to the webservice, and decrypt them in the service?
Yes, you could.
But I can write my own client that just does the same thing.
--
Tom Chiverton
Helping to
Tom
Are we on the same page here?
We use SSL Encryption of the username and password as well as the data
going over the wire.
Are you saying that it is trivial for someone to find out the source
and destination of the encrypted SSL stream, grab this data off the
wire and decrypt it?
--- In
On Monday 28 Apr 2008, valdhor wrote:
We use SSL Encryption of the username and password as well as the data
going over the wire.
Uh huh.
Are you saying that it is trivial for someone to find out the source
and destination of the encrypted SSL stream, grab this data off the
wire and decrypt
Hmmm - I will have to check out WebScarab.
--- In flexcoders@yahoogroups.com, Tom Chiverton [EMAIL PROTECTED]
wrote:
On Monday 28 Apr 2008, valdhor wrote:
We use SSL Encryption of the username and password as well as the data
going over the wire.
Uh huh.
Are you saying that it is
this is similar to ServiceCapture, Charles, Wireshark, etc, eh? They are
'man-in-the-middle' tools. They have to be installed and running on the PC
to intercept/view any http/https requests.
Tom, you are merely suggesting that it is possible that a user could have a
man-in-the-middle
On Monday 28 Apr 2008, Douglas Knudsen wrote:
Tom, you are merely suggesting that it is possible that a user could have a
man-in-the-middle virus/proggy running unbeknownst to them?
I belive the original problem was that end users might try and write their own
client, using the same services
We don't use Flex to access our Web Services; We use PHP or Perl. To
stop unauthorized access we use a combination of SSL as well as
wssecurity
(http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd).
I don't know if Flex allows you to create SOAP Headers but if it
On Friday 25 Apr 2008, valdhor wrote:
We don't use Flex to access our Web Services; We use PHP or Perl. To
stop unauthorized access we use a combination of SSL as well as
wssecurity
Just to be clear, this doesn't 'stop' anyone writing their own client for your
service.
--
Tom Chiverton
I've never actually done this, but can't you encrypt the credentials
in Flex, send them to the webservice, and decrypt them in the service?
~randy
--- In flexcoders@yahoogroups.com, Tom Chiverton [EMAIL PROTECTED]
wrote:
On Friday 25 Apr 2008, valdhor wrote:
We don't use Flex to access our
Check out the AS3Crypto library at http://crypto.hurlant.com/
http://crypto.hurlant.com/
~randy
--- In flexcoders@yahoogroups.com, Randy Martin [EMAIL PROTECTED] wrote:
I've never actually done this, but can't you encrypt the credentials
in Flex, send them to the webservice, and decrypt
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Tom Chiverton
Sent: Friday, April 25, 2008 11:05 AM
To: flexcoders@yahoogroups.com
Subject: Re: [flexcoders] Re: Best way to secure a ColdFusion web
service
On Friday 25 Apr 2008, valdhor wrote:
We don't use
True. But they would need to know the location (It is not in the
WSDL), the username and the password.
--- In flexcoders@yahoogroups.com, Tom Chiverton [EMAIL PROTECTED]
wrote:
On Friday 25 Apr 2008, valdhor wrote:
We don't use Flex to access our Web Services; We use PHP or Perl. To
stop
SSL is key (assuming it blocks out the data) as, It is pretty trivial
to find the service location, and even the method names with something
like service capture. So unless the traffic is over SSL, you can
easily see things like id's and passwords passed into the services.
I am curious to
14 matches
Mail list logo