Re: [flexcoders] Re: Best way to secure a ColdFusion web service

On Monday 28 Apr 2008, Douglas Knudsen wrote: > Tom, you are merely suggesting that it is possible that a user could have a > man-in-the-middle virus/proggy running unbeknownst to them? I belive the original problem was that end users might try and write their own client, using the same services

Re: [flexcoders] Re: Best way to secure a ColdFusion web service

this is similar to ServiceCapture, Charles, Wireshark, etc, eh? They are 'man-in-the-middle' tools. They have to be installed and running on the PC to intercept/view any http/https requests. Tom, you are merely suggesting that it is possible that a user could have a man-in-the-middle virus/progg

Re: [flexcoders] Re: Best way to secure a ColdFusion web service

On Monday 28 Apr 2008, valdhor wrote: > We use SSL Encryption of the username and password as well as the data > going over the wire. Uh huh. > Are you saying that it is trivial for someone to find out the source > and destination of the encrypted SSL stream, grab this data off the > wire and dec

Re: [flexcoders] Re: Best way to secure a ColdFusion web service

On Friday 25 Apr 2008, Randy Martin wrote: > I've never actually done this, but can't you encrypt the credentials > in Flex, send them to the webservice, and decrypt them in the service? Yes, you could. But I can write my own client that just does the same thing. -- Tom Chiverton Helping to bian

Re: [flexcoders] Re: Best way to secure a ColdFusion web service

On Friday 25 Apr 2008, valdhor wrote: > True. But they would need to know the location (It is not in the > WSDL), the username and the password. All of which are sent over the wire. -- Tom Chiverton Helping to widespreadedly exploit scalable interfaces on: http://thefalken.livejournal.com *

Re: [flexcoders] Re: Best way to secure a ColdFusion web service

SSL is key (assuming it blocks out the data) as, It is pretty trivial to find the service location, and even the method names with something like service capture. So unless the traffic is over SSL, you can easily see things like id's and passwords passed into the services. I am curious to s

RE: [flexcoders] Re: Best way to secure a ColdFusion web service

credentials. Jeff -Original Message- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Tom Chiverton Sent: Friday, April 25, 2008 11:05 AM To: flexcoders@yahoogroups.com Subject: Re: [flexcoders] Re: Best way to secure a ColdFusion web service On Friday 25 Apr 2008, valdhor w

Re: [flexcoders] Re: Best way to secure a ColdFusion web service

On Friday 25 Apr 2008, valdhor wrote: > We don't use Flex to access our Web Services; We use PHP or Perl. To > stop unauthorized access we use a combination of SSL as well as > wssecurity Just to be clear, this doesn't 'stop' anyone writing their own client for your service. -- Tom Chiverton He