> What are the security risks for using a datasource that > connects to that remote database? Isn't the username and > password passed to that database unencrypted? Wouldn't this > be a huge security risk?
Generally, yes, this could be a very large security risk. Most database connections are unencrypted by default, so it would be fairly trivial to pluck logins from the traffic if you had access to either endpoint, or to a network used by either endpoint. The way you deal with this is the way you deal with any similar problem - use adequate encryption. This may range from SSL (which is supported by SQL Server, but I haven't set that up with CF) to a VPN tunnel. > Are there any documented cases in which the username and > password have been sniffed allowing the hacker to login in to > the remote database? I can't point to any offhand, but I would certainly assume that it's been done, since it's simple to do. I would also argue that the knowledge that this is easy to do would require you to use encryption simply to meet due diligence requirements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion is delivering applications solutions at at top companies around the world in government. Find out how and where now http://www.adobe.com/cfusion/showcase/index.cfm?event=finder&productID=1522&loc=en_us Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:293786 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
