The answer is "encryption" the flavor of encryption is up to you.
If I had to resolve this problem and I was coding this for myself and therefore had total control over the process I would not use SSL due to the weaknesses of SSL and I would cook-up my own encryption strategy using the longest key length I could find with some minor tweaks to help make the encrypted data envelope even more secure than it might be otherwise. Call me cautious or careful or just way overboard on this one but don't think for a second if I wanted to keep something from curious eyes that there would be any chance of curious eyes getting to see anything other than a bunch of seemingly random ASCII characters. Trust me when I say, even if the encryption key(s) were known I could still make the encrypted envelope perfectly secure. ----- Original Message ---- From: André Rodrigues Pena <[EMAIL PROTECTED]> To: [email protected] Sent: Thursday, April 5, 2007 2:37:10 PM Subject: Re: [flexcoders] Re: User authentication Thanks again for your help Ray and Peter.. I am actually a little lost. All I want is to guarantee that the user name and password that will go from Flex HTTPService to my JSP web-service will not be intercepted. And I'm also lost about how will I maintain the session with the HTTPService. Cookies dont seem to be possible, URL rewriting is possible mas I'll have to see how will I do that. At the moment of the login, my service will have to pass me a key or something like that. (as someone already mentioned) That I will use along with the other services... I'm lost. lol On 05 Apr 2007 14:23:58 -0700, Peter Farland <[EMAIL PROTECTED] com> wrote: HTTPService has a url property so if you start your URL with https:// then that tells the Flash Player that you want to use SSL to communicate with the web server. Note that to make an HTTPS connection you must load your SWF via a secure URL too. If you're even asking the question "what are the chances of my data being intercepted" then I think you've just made the decision to use SSL. If you're building a commercial application that has personalized data then you will want to use a secure protocol like HTTPS. For a quick and simple explanation of how SSL works see Richard E. Smith's book "Authentication - From Passwords to Public Keys" - Chapter 13.6. ____________ _________ _________ __ From: [EMAIL PROTECTED] ups.com [mailto: [EMAIL PROTECTED] ups.com] On Behalf Of André Rodrigues Pena Sent: Thursday, April 05, 2007 4:55 PM To: [EMAIL PROTECTED] ups.com Subject: Re: [flexcoders] Re: User authentication Guys.. I appreciate all your help. I could realize how many possibilities there are regarding authentication. My question now is: How can I secure my HTTPService? Is there some HTTPSService? What do I do to work with SSL? Or even.. if I send user name and password through an unprotected HTTPService. What are the chances of my data to be intercepted? -- André Rodrigues Pena LOCUS www.locus.com. br Blog www.techbreak. org
