But ActiveX is an IE only element is it not?

For that case why not just use an applet and serialise the data from Tomcat to the applet then either have JavaScript construct the page by querying the applet or have the applet be the interface.

Sunitha --- in short don't try.

PJ

Frank W. Zammetti wrote:

I had such a requirement at work one time, although fortunately I talked some sense into the higher-ups and they forgot about it, but not before I worked up an entire proof-of-concept document. IN THEORY, this could make it very difficult for would-be hackers, although I wouldn't say fullproof.

The idea was to set up a frameset with one invisible frame and one full-screen frame. Into the invisible frame would go an ActiveX control that was encrypted with a custom binary encrypter program (could be an applet too, but obfuscation isn't as good as encoding a binary). Basically, every form submission to the server would go through the control, and every response from the server would go through it, both encrypted. On the response from the server, HTML is generated out of the control and placed into the frame in an obfuscated form. Javascript it used to guard against right-clicks and keyboard shortcuts, and since the app starts up in it's own chromless window, it's relatively secure from most clientside exploits. There is a handshake between the control and the server at startup that basically sets up a temporary public/private key pair, the point being to make it impossible to just issue commands via Telnet. You'd have to fake considerably more than just some URLs or header variables.

So, the idea is that you could probably still get at the source, but it wouldn't be in cache so you'd probably have to use a memory scanner, but even if you did that it would be in an obfuscated form. Not impossible to decypher, but probably hard enough that most people wouldn't both. Getting at the server is going to be difficult. You could still decompile the control, but that's not going to be at all easy either considering the obfuscation and encryption (think a PE compactor approach).

I think making it tough is about as good as you can hope to do, but as Steven said, it's ALWAYS going to be defeatable one way or another.



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Reply via email to