Re: [flexcoders] Re: Best way to secure a ColdFusion web service
On Friday 25 Apr 2008, valdhor wrote: True. But they would need to know the location (It is not in the WSDL), the username and the password. All of which are sent over the wire. -- Tom Chiverton Helping to widespreadedly exploit scalable interfaces on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.comYahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ * Your email settings: Individual Email | Traditional * To change settings online go to: http://groups.yahoo.com/group/flexcoders/join (Yahoo! ID required) * To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
Re: [flexcoders] Re: Best way to secure a ColdFusion web service
On Friday 25 Apr 2008, Randy Martin wrote: I've never actually done this, but can't you encrypt the credentials in Flex, send them to the webservice, and decrypt them in the service? Yes, you could. But I can write my own client that just does the same thing. -- Tom Chiverton Helping to biannually orchestrate ubiquitous eyeballs on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.comYahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ * Your email settings: Individual Email | Traditional * To change settings online go to: http://groups.yahoo.com/group/flexcoders/join (Yahoo! ID required) * To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
[flexcoders] Re: Best way to secure a ColdFusion web service
Tom Are we on the same page here? We use SSL Encryption of the username and password as well as the data going over the wire. Are you saying that it is trivial for someone to find out the source and destination of the encrypted SSL stream, grab this data off the wire and decrypt it? --- In flexcoders@yahoogroups.com, Tom Chiverton [EMAIL PROTECTED] wrote: On Friday 25 Apr 2008, valdhor wrote: True. But they would need to know the location (It is not in the WSDL), the username and the password. All of which are sent over the wire. -- Tom Chiverton Helping to widespreadedly exploit scalable interfaces on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com.
Re: [flexcoders] Re: Best way to secure a ColdFusion web service
On Monday 28 Apr 2008, valdhor wrote: We use SSL Encryption of the username and password as well as the data going over the wire. Uh huh. Are you saying that it is trivial for someone to find out the source and destination of the encrypted SSL stream, grab this data off the wire and decrypt it? I'm saying I can, and have, used WebScarab (for instance) as an SSL proxy, and been able to see the plain text of both request and response. It's a free Java tool, and I've personally had it work on both WinXP and SuSE Linux. -- Tom Chiverton Helping to dynamically reinvent frictionless e-commerce on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.comYahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ * Your email settings: Individual Email | Traditional * To change settings online go to: http://groups.yahoo.com/group/flexcoders/join (Yahoo! ID required) * To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
[flexcoders] Re: Best way to secure a ColdFusion web service
Hmmm - I will have to check out WebScarab. --- In flexcoders@yahoogroups.com, Tom Chiverton [EMAIL PROTECTED] wrote: On Monday 28 Apr 2008, valdhor wrote: We use SSL Encryption of the username and password as well as the data going over the wire. Uh huh. Are you saying that it is trivial for someone to find out the source and destination of the encrypted SSL stream, grab this data off the wire and decrypt it? I'm saying I can, and have, used WebScarab (for instance) as an SSL proxy, and been able to see the plain text of both request and response. It's a free Java tool, and I've personally had it work on both WinXP and SuSE Linux. -- Tom Chiverton Helping to dynamically reinvent frictionless e-commerce on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com.
Re: [flexcoders] Re: Best way to secure a ColdFusion web service
this is similar to ServiceCapture, Charles, Wireshark, etc, eh? They are 'man-in-the-middle' tools. They have to be installed and running on the PC to intercept/view any http/https requests. Tom, you are merely suggesting that it is possible that a user could have a man-in-the-middle virus/proggy running unbeknownst to them? DK On Mon, Apr 28, 2008 at 11:13 AM, valdhor [EMAIL PROTECTED] wrote: Hmmm - I will have to check out WebScarab. --- In flexcoders@yahoogroups.com flexcoders%40yahoogroups.com, Tom Chiverton [EMAIL PROTECTED] wrote: On Monday 28 Apr 2008, valdhor wrote: We use SSL Encryption of the username and password as well as the data going over the wire. Uh huh. Are you saying that it is trivial for someone to find out the source and destination of the encrypted SSL stream, grab this data off the wire and decrypt it? I'm saying I can, and have, used WebScarab (for instance) as an SSL proxy, and been able to see the plain text of both request and response. It's a free Java tool, and I've personally had it work on both WinXP and SuSE Linux. -- Tom Chiverton Helping to dynamically reinvent frictionless e-commerce on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. -- Douglas Knudsen http://www.cubicleman.com this is my signature, like it?
Re: [flexcoders] Re: Best way to secure a ColdFusion web service
On Monday 28 Apr 2008, Douglas Knudsen wrote: Tom, you are merely suggesting that it is possible that a user could have a man-in-the-middle virus/proggy running unbeknownst to them? I belive the original problem was that end users might try and write their own client, using the same services provided for the 'official' Flex client i.e. How do we make sure no unauthorized consumers succeed in getting data back from our web service calls. In which case, I was just pointing out SSL isn't a defence against that sort of threat, and further - so what ? 'Good luck to them'. If the OP meant 'How do we make sure only customers can succeed in getting data back, and that they only see what they should' then some sort of login(user,pass):TokenString method that associates a time-limited token with a username, and a matching 'getUserForToken(TokenString):user' method in each remote method should do the job, for instance. You might want to run *that* over SSL to stop non-customers stealing a customer's password, but in the real world its rare to have a full blown man-in-the-middle attack against your service that the end user *isn't* aware off. There are Trojan keyloggers, of course, that specifically look for HTTPS traffic to popular web sites (banks), and then switch on an SSL proxy... -- Tom Chiverton Helping to authoritatively conquer user-centric initiatives on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.comYahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ * Your email settings: Individual Email | Traditional * To change settings online go to: http://groups.yahoo.com/group/flexcoders/join (Yahoo! ID required) * To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
[flexcoders] Re: Best way to secure a ColdFusion web service
We don't use Flex to access our Web Services; We use PHP or Perl. To stop unauthorized access we use a combination of SSL as well as wssecurity (http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd). I don't know if Flex allows you to create SOAP Headers but if it does you could use WSSecurity. If not, you could add a layer in the middle, say written in PHP, to contact your Web Service and use, say, WebORB to return the data to your Flex application. --- In flexcoders@yahoogroups.com, richclient [EMAIL PROTECTED] wrote: Our flex application is using mx:WebService where the web service is a ColdFusion CFC. Works great. Now we need to deploy the application and the web service in a production environment across SSL, and ensure that not just any application can call that web service. With Flex calling the ColdFusion web service, we cannot hold the credentials in a session scope because there isn't one for a web service. (?) How do we make sure no unauthorized consumers succeed in getting data back from our web service calls? Are we going to have to pass credentials to the web service on every call?
Re: [flexcoders] Re: Best way to secure a ColdFusion web service
On Friday 25 Apr 2008, valdhor wrote: We don't use Flex to access our Web Services; We use PHP or Perl. To stop unauthorized access we use a combination of SSL as well as wssecurity Just to be clear, this doesn't 'stop' anyone writing their own client for your service. -- Tom Chiverton Helping to widespreadedly streamline intuitive markets on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.comYahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ * Your email settings: Individual Email | Traditional * To change settings online go to: http://groups.yahoo.com/group/flexcoders/join (Yahoo! ID required) * To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
[flexcoders] Re: Best way to secure a ColdFusion web service
I've never actually done this, but can't you encrypt the credentials in Flex, send them to the webservice, and decrypt them in the service? ~randy --- In flexcoders@yahoogroups.com, Tom Chiverton [EMAIL PROTECTED] wrote: On Friday 25 Apr 2008, valdhor wrote: We don't use Flex to access our Web Services; We use PHP or Perl. To stop unauthorized access we use a combination of SSL as well as wssecurity Just to be clear, this doesn't 'stop' anyone writing their own client for your service. -- Tom Chiverton Helping to widespreadedly streamline intuitive markets on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com.
[flexcoders] Re: Best way to secure a ColdFusion web service
Check out the AS3Crypto library at http://crypto.hurlant.com/ http://crypto.hurlant.com/ ~randy --- In flexcoders@yahoogroups.com, Randy Martin [EMAIL PROTECTED] wrote: I've never actually done this, but can't you encrypt the credentials in Flex, send them to the webservice, and decrypt them in the service? ~randy --- In flexcoders@yahoogroups.com, Tom Chiverton tom.chiverton@ wrote: On Friday 25 Apr 2008, valdhor wrote: We don't use Flex to access our Web Services; We use PHP or Perl. To stop unauthorized access we use a combination of SSL as well as wssecurity Just to be clear, this doesn't 'stop' anyone writing their own client for your service. -- Tom Chiverton Helping to widespreadedly streamline intuitive markets on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com.
RE: [flexcoders] Re: Best way to secure a ColdFusion web service
If you're purely in a CF environment, why not use CFLOGIN, Roles and SSL? The individual will have to authenticate, and his credentials will be passed with each request, but with SSL the request headers won't be readable. As far as ensuring a particular set of credentials are in use by only one person at a time, there are ways to accomplish this by uniquely id'ing each client that's accessing your web services. You could store your unique id as a SharedObject and building server side logic to check for attempts to login by other client instances using those credentials. Jeff -Original Message- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Tom Chiverton Sent: Friday, April 25, 2008 11:05 AM To: flexcoders@yahoogroups.com Subject: Re: [flexcoders] Re: Best way to secure a ColdFusion web service On Friday 25 Apr 2008, valdhor wrote: We don't use Flex to access our Web Services; We use PHP or Perl. To stop unauthorized access we use a combination of SSL as well as wssecurity Just to be clear, this doesn't 'stop' anyone writing their own client for your service. -- Tom Chiverton Helping to widespreadedly streamline intuitive markets on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.comYahoo! Groups Links
[flexcoders] Re: Best way to secure a ColdFusion web service
True. But they would need to know the location (It is not in the WSDL), the username and the password. --- In flexcoders@yahoogroups.com, Tom Chiverton [EMAIL PROTECTED] wrote: On Friday 25 Apr 2008, valdhor wrote: We don't use Flex to access our Web Services; We use PHP or Perl. To stop unauthorized access we use a combination of SSL as well as wssecurity Just to be clear, this doesn't 'stop' anyone writing their own client for your service. -- Tom Chiverton Helping to widespreadedly streamline intuitive markets on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com.
Re: [flexcoders] Re: Best way to secure a ColdFusion web service
SSL is key (assuming it blocks out the data) as, It is pretty trivial to find the service location, and even the method names with something like service capture. So unless the traffic is over SSL, you can easily see things like id's and passwords passed into the services. I am curious to see what service capture would see over an SSL connection with a gateway. d On 25-Apr-08, at 1:29 PM, valdhor wrote: True. But they would need to know the location (It is not in the WSDL), the username and the password. --- In flexcoders@yahoogroups.com, Tom Chiverton [EMAIL PROTECTED] wrote: On Friday 25 Apr 2008, valdhor wrote: We don't use Flex to access our Web Services; We use PHP or Perl. To stop unauthorized access we use a combination of SSL as well as wssecurity Just to be clear, this doesn't 'stop' anyone writing their own client for your service. -- Tom Chiverton Helping to widespreadedly streamline intuitive markets on: http://thefalken.livejournal.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by The Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com.