On Monday 28 Apr 2008, Douglas Knudsen wrote: > Tom, you are merely suggesting that it is possible that a user could have a > man-in-the-middle virus/proggy running unbeknownst to them?
I belive the original problem was that end users might try and write their own client, using the same services provided for the 'official' Flex client i.e. "How do we make sure no unauthorized consumers succeed in getting data back from our web service calls". In which case, I was just pointing out SSL isn't a defence against that sort of threat, and further - so what ? 'Good luck to them'. If the OP meant 'How do we make sure only customers can succeed in getting data back, and that they only see what they should' then some sort of "login(user,pass):TokenString" method that associates a time-limited token with a username, and a matching 'getUserForToken(TokenString):user' method in each remote method should do the job, for instance. You might want to run *that* over SSL to stop non-customers stealing a customer's password, but in the real world its rare to have a full blown man-in-the-middle attack against your service that the end user *isn't* aware off. There are Trojan keyloggers, of course, that specifically look for HTTPS traffic to popular web sites (banks), and then switch on an SSL proxy... -- Tom Chiverton Helping to authoritatively conquer user-centric initiatives on: http://thefalken.livejournal.com **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. ------------------------------------ -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.comYahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/flexcoders/join (Yahoo! ID required) <*> To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
