Hah, no, not quite. That would kill all ecommerce overnight if that
happened.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"To announce that there must be no criticism of the president, or that
we are to stand by the president right or wrong, is not only
unpatriotic and servile, but is morally treasonable to the American
public."
-- Theodore Roosevelt
On Feb 8, 2008, at 4:34 PM, Fennell, Mark P. wrote:
sad but true users will be users despite our best efforts. I was
worried that I missed something and all security evaporated overnight.
Stranger things have happened.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Friday, February 08, 2008 4:27 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and
ColdFusion)
Yes. Man in the middle proxy to decrypt traffic on the fly. I
don't need to decrypt the traffic, I let SSL do all the work and
just pass the communications through my proxy. Encrypted tunnels
exist between browser -> proxy and proxy-> server. You receive a
certificate warning, but most users will accept them not knowing
what the warning is or why it exists. Google Paros, Fiddler, Burp
Proxy, etc.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"I have always strenuously supported the right of every man to his
own opinion, however different that opinion might be to mine. He who
denies another this right makes a slave of himself to his present
opinion, because he precludes himself the right of changing it."
-- Thomas Paine, 1783
On Feb 8, 2008, at 4:13 PM, Fennell, Mark P. wrote:
<disbelief>
lemme get this straight. you can decrypt SSL traffic into a
human readable format?
you can crack a 128-bit certificate? what about a high-grade
AES 256-bit pipe?
</disbelief>
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Friday, February 08, 2008 4:01 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and
ColdFusion)
If secure AMF is just AMF over SSL... its easy enough to modify in
transit.
Darrin, if you or your organization wants a demo of why these
things are insecure, let me know. I'll be more than happy to do
some live web hacking for you. (And yes, Charlie, I haven't
forgotten about you and the meetup...)
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
--Thomas Jefferson
On Feb 8, 2008, at 3:55 PM, Dean H. Saxe wrote:
*cough* BS.
Flash can be decompiled.
I can watch all of the traffic. Even over SSL.
I can modify AMF (I'd have to look @ secure AMF).
If you'd like to challenge me to hack the app, let me know. I'm
up for it. ;-)
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell
people what they do not want to hear."
-- George Orwell, 1945
On Feb 8, 2008, at 11:52 AM, Darin Kohles wrote:
You can always build a Flex (or Flash for that matter) application
that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0
will work) that has nothing on the stage with wmode="transparent".
This application can now act as your portal between the browser
via JS
using the External Interface (or fsCommand going back to Flash ~6).
Then your "invisible" Flex/Flash app can leverage all the
connection
types available (AMF/SecureAMF, Webservice, HttpService etc...)
in a
manner that is not easily accessible to any hacker (you can hide
all
kinds of security checks within this app).
I've always wanted to do a bench mark of this type of app side by
side
with standard Ajax, but the bottom line is that the only browser
specific code would be in how the returned data is applied to
effect
the client content.
On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote:
Charlie, my main issues with AJAX are dealing with cross-browser
issues, and
security.
AJAX exposes some of the most annoying cross-browser DHTML sort
of things.
Using libraries and frameworks can insulate you from that to a
degree, but
not always completely. I've got a customer doing things with
Google Maps and
we've had some differences between IE and FF that have been
difficult to
solve.
People have gotten so excited about using AJAX that they have
forgotten
basic security principles (things like validating input). I
recently read an
article that discussed the security holes in the more commonly
used
frameworks, so the issue isn't just with roll your own AJAX, it
is more
pervasive.
But, those things said, ultimately I think it is a step forward
in making a
richer browser experience (not as much as Flex though). There
are just some
fleas on the dog that folks should be aware of in advance.
----- Original Message ----
From: Charlie Arehart <[EMAIL PROTECTED]>
To: discussion@acfug.org
Sent: Friday, February 8, 2008 10:58:47 AM
Subject: [ACFUG Discuss] will Ajax go away (was JVM version and
ColdFusion)
That seems a curious statement, Forrest, and I'm sure some
would enjoy a
bit of discussion on it. For those who weren't following
closely, he had
asked first about some challenges using a CFX_google custom tag,
and in the
replies he was told that it's quite old and instead Google
favors some Ajax
APIs instead. Forrest replies he hoped the "Ajax thing would
just go away".
So, do you realize that Ajax is merely a way to make browsers
smarter? It
enables them to make calls to remote servers. Sure, we could do
that in the
past with Java applets, ActiveX controls, Flash, and even plain
Javascript.
And we could of course do it from the server using either REST
or SOAP apis.
Ajax is just a simplified API to enable that very javascript-based
client-server interaction. For those who need to talk to servers
from
clients (either because they can't or don't want to involve a
server to
proxy the communications for them), we don't want them to go
back to Java
and ActiveX, do we? :-) And while we may wish everyone would use
Flex, it's
just not likely. Many will, for the much larger problem space it
solves, but
for the average web developer, it's not really as simple as
dropping in some
AJAX API calls.
If Google (or other vendors) want to create a way for people to
connect, and
they want to make it work regardless of what web app server
platform people
use (and as well for those who have no server), and they provide
an
Ajax-based API to what (I suppose are otherwise REST-based)
services, that's
seems to be just being smart, widening the pool of possible users.
Look at it another way (for us CFers), they (like Amazon, Ebay,
and others)
could instead just document calling from Java, ASP.NET, and PHP.
They tend
to not go that one step further to include CF. At least by their
offering a
platform-agnostic solution that doesn't require any server-side
processing,
they've helped more than just those who have no server to make
calls from.
Just some thoughts. I'm not fanatical about all this, and I may
well myself
be missing a point. But since this is the ACFUG "discussion"
list, that
comment seemed one worth discussing. :-)
/charlie
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Forrest C.
Gilmore
Sent: Thursday, February 07, 2008 5:30 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] JVM version and ColdFusion
Thanks, Charlie. Your comments were very helpful!
I have been hoping that this AJAX thing would just go away, as
it seems to
be to be a step backwards, but it looks like it will be around a
while
longer!
Forrest C. Gilmore
========================
Charlie Arehart wrote:
Forrest, I realize you've perhaps abandoned the effort, but
I'll throw
out some clarification if it's useful, first about the JRE/CFX
issue,
then about calling the google search APIs.
<snip>
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------