Apologies in advance if this is considered off-topic, but it is probably in
the interest of all servlet developers to have the best security measures in
place, particularly where senstive data is being transferred (e.g. CC data,
Health data).
One could route servlets through an SSL webserver and have your servlets
accessible through a https://... URL (e.g. using Apache with JServ
and mod_SSL)
For the record, I agree with both your posts:
>OUCH! PLEASE!!!
>It's not secure *at all* without encryption (and encryption adds security
only as much as the application which uses it knows what it is doing).
...too true
>Please don't build applications which pass CC data unencrypted! (access
>codes to sensitive data should also be passed in encrypted channels).
>Just because you don't see it on your browser window or in the proxy/server
>logs doesn't mean it isn't easy for someone to just sniff any network
>section between you and the destination server.
..and there are sniffers available for download for all those kiddies out
there
>Cheers,
>--Amos
(from Jarec)
>> Yes they are. The difference is that POST streams the data rather than
>> passing it as text within the header. POST is therefore more
>> secure and recomended for things like passwords and credit card details.
...POST is better because it prevents parameters being found through
"shoulder surfing"
e.g. using GET, the URL could be
http://www.someserver.dom/someservlet?userid=username&password=mypassword
but using POST, you get the more secure (or less insecure!)
http://www.someserver.dom/someservlet
So long as your HTML uses password input fields instead of text, no-one
could eyeball the password that was keyed in, which could be an important
consideration for public environments (e.g. internet cafes, shared
computers)
>> As far as your
>> servlet is concerned the parameters are readily accessible
>> whether they are GET or POST.
...as described in more detail by Amos above
>
> Jarec
>
> -------------------------------------------------------------------
regards,
Conor
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
