Axton, I think I have to question you on this one... > - passwords sent via the login page: no
I remember seeing a Javascript encoding function that encodes the value the user enters. However if the web server is not SSL'ed then that encoded value is sent "in the clear" to the server. ( It is just scrambled a bit first.) I think it would be easy for the average web developer to look at the login page and use the Javascript code to build a function to "unscramble" the encoded password. ( Although I have not tried to do it. I just expect that the process is reversible and since I should have access to all of the code that the browser uses.... the reverse algorithm just should not be hard to figure out.) So in my opinion, without an SSL cert, all of the mid-tier is "in the clear". And I mean not just the passwords, but the portion of the "form" that the client sees is also "in the clear". So if you did something very silly like enbed a password in an Active Link action.. well... that might (I have not confirmed it) also show up in the browser in clear text too. (And on the User Tool arf/arv files too, but that is a slightly different story.) Did I misunderstand the login page? Did I misunderstand the phrase "in the clear"? -- Carey Matthew Black Remedy Skilled Professional (RSP) ARS = Action Request System(Remedy) Love, then teach Solution = People + Process + Tools Fast, Accurate, Cheap.... Pick two. On 9/27/07, Axton <[EMAIL PROTECTED]> wrote: > Which passwords? > - passwords sent in a url: yes > - passwords sent for the mid-tier config page: no > - passwords for each server as configured in the mid-tier config page: no > > In the first case, an ssl cert will not help you. In the 2nd and 3rd > cases, an ssl cert will strengthen the data against outside > eavesdroppers. In the 4th case, configuring encryption on the > arserver will strengthen the data against outside eavesdroppers. > > Axton Grams > > On 9/27/07, Greg Donalson <[EMAIL PROTECTED]> wrote: > > ARSList, > > > > Are Mid-Tier passwords passed in clear text? If so, is the best way to get > > around this is to add a security certificate to the Mid-Tier server? Or > > are there other ways to get around it? Thanks! > > > > Greg > > > > _______________________________________________________________________________ > > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where > > the Answers Are" > > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the > Answers Are" > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
