Yeah I realized that by throwing out that very "generic" statement I might get some push-back but thank you very much for your not so generic answer. It helps quite a bit and created a few other internal questions we now have that need answers to!
Thanks everyone! Very helpful. -----Original Message----- From: Dave Watts [mailto:[email protected]] Sent: Thursday, January 20, 2011 4:27 PM To: cf-talk Subject: Re: Secure or Not So Secure? > Here is the code: Secure or not so secure? (No vpn or ssh tunnel, > traffic is right over the internet via SSL 2048bit between two CF 8 > Servers) What do you mean by secure? What is the security threat you're trying to address? Just asking "is X secure" isn't really specific enough to be easily answered in many cases. If you're concerned about whether people can view information in transit, TLS/SSL is adequate for most threat levels. If you're concerned that someone could invoke the service from another machine, and potentially brute-force the password, use something that addresses this problem: client certificates, VPN tunneling, standard port blocking, etc. If you're concerned that someone could identify the password on the client, use something that addresses secure password storage: DPAPI, server startup keys, PKI, etc. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341069 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
