I don't see how that could be any more of an issue with just standard POSTs to a servlet through SSL. If the data exists on the client, then the user has the ability to access it, and there is literally nothing you can do to stop it. If you don't want a user to see a CC# or a SSN, then it is your responsibility to not send that information down to the client. Any decrypting of data on the client requires the client to have access to the algorithm to decrypt it.
There are measures to prevent cross-site scripting if that is the technique your hacker is employing. http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications. On Oct 13, 9:50 am, Brett Thomas <[email protected]> wrote: > I don't think that'll do much. Per Stefan's Rule 1, anything the client > stores can be read. If GWT encrypted stuff on the client, a hacker could > find out how to envoke the de-enfrypt() method pretty quickly. > > Related security question: since all apps that use GWT-RPC store data in the > same way, does that make GWT apps even less safe than plain old ajax apps? > Suppose a user is running 5 GWT-written apps simultaneously. Seems that one > script could swipe user data from all the browser tabs at once, if it knows > where to look for GWT-serialized objects. Think that's a valid concern? > > > > On Wed, Oct 13, 2010 at 10:29 AM, JuDaC <[email protected]> wrote: > > > Do you mean you want GWT to encrypt the object that is stored in > > memory, before it's sent over RPC? > > - yes, before sending the object or parameters over RPC, it obfuscate > > it. > > > I'm creating ways to avoid as many attacks as I know or the literature > > mention. Here, the point is that I was wondering if GWT do not offer > > something to make sure each request is really unique, avoiding for > > example multiples requests of the same one (i.e. by tagging the > > package). > > > I checked AcrIS, but it's not for the the same purpose. > > > The idea was exchange XP on GWT security, because I might be creating > > things that the community offers. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Google Web Toolkit" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<google-web-toolkit%2Bunsubs > > [email protected]> > > . > > For more options, visit this group at > >http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
