I don't think that'll do much. Per Stefan's Rule 1, anything the client stores can be read. If GWT encrypted stuff on the client, a hacker could find out how to envoke the de-enfrypt() method pretty quickly.
Related security question: since all apps that use GWT-RPC store data in the same way, does that make GWT apps even less safe than plain old ajax apps? Suppose a user is running 5 GWT-written apps simultaneously. Seems that one script could swipe user data from all the browser tabs at once, if it knows where to look for GWT-serialized objects. Think that's a valid concern? On Wed, Oct 13, 2010 at 10:29 AM, JuDaC <[email protected]> wrote: > > Do you mean you want GWT to encrypt the object that is stored in > memory, before it's sent over RPC? > - yes, before sending the object or parameters over RPC, it obfuscate > it. > > I'm creating ways to avoid as many attacks as I know or the literature > mention. Here, the point is that I was wondering if GWT do not offer > something to make sure each request is really unique, avoiding for > example multiples requests of the same one (i.e. by tagging the > package). > > I checked AcrIS, but it's not for the the same purpose. > > The idea was exchange XP on GWT security, because I might be creating > things that the community offers. > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-web-toolkit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
