> the communication between the module and the cf app server > can be encrypted in itself in case there are "listeners"....
Yes, but that's only relevant in the case of a third-party listener, between the two endpoints - just like SSL between a browser and a server. On either of the endpoints, the unencrypted communication can be read. > but yes of course nothing is fool proof...but NOT doing > this definitely leaves additional vulnerabilities. That's true, but the severity of these vulnerabilities may not be worth the effort of using this configuration, especially if there are more serious security concerns elsewhere in the application environment. Personally, I'd feel comfortable in most cases with both services on a single bastion host, as long as that host has been adequately configured. I suspect that directed attacks via CGI vulnerabilities have more serious consequences than directed attacks against web server vulnerabilities, although you're less likely to hear about them than about the latest IIS worm. In any case, it's been my experience that developers are typically less aware of security concerns in their code than system administrators are of proper server configuration. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
