Exactly How Secure?

[proton]

Hey guys,

This is a good general article to read with regards to securing web apps:

http://www.zdnet.com/ecommerce/stories/main/0,10475,2706444,00.html

[Anatoli]

Not 100% related to our problem, but educational...

[proton]

quote:

---

Originally posted by Anatoli:

Not 100% related to our problem, but educational...

---

True Anatoli, but it does bear on web apps on the hole..and Filemaker online is a web app. This link is closer to home:

http://tidb.filemaker.com/ti/FMPro?-db=ti.fp5&-lay=list&-sortfield=relevancecalc&-sortorder=descend&select=filemaker&article=web%20companion&-token.0=filemakerweb%20companion&-toke n.1=120&-find=&-format=detail.html&-recid=12599565

[Krishan]

Thanks for all the links Proton. They were interesting to read. (But I think your link has stretched the page... I've got to scroll sideways now... )

Is it possible for a hacker to view the FMPro Web folder's directory listing? If so, how would he do that? I've read about the CIA's homepage being changed.

And what about a hacker creating his own format pages and calling your FMPro databases?

If it is possible for hackers to intercept any transmission between the browser and the server, then shouldn't all pages be secure and use SSL? I haven't finished my project yet so I haven't started using SSL. Is there anything wrong with making every page secure? I know when I log into my email account on the web, the pages aren't secure. Just because it's not credit card details doesn't mean that the information isn't important. What if the hacker got your username and password to your login page?

Another point I have is that the status bar shows the padlock icon. If you use a chromeless window without the status bar for added security (so people can't see the URL of the links), then the customers won't see the padlock.

[ May 24, 2001: Message edited by: Krishan ]

[proton]

quote:

---

Originally posted by Krishan:

And what about a hacker creating his own format pages and calling your FMPro databases?

---

krishan,

That's always been a worry of mine. Not only a hacker creating his own pages, but copying your pages, modifying them, and running them. I got another article from Filemaker's site showing you how to keep your web pages on a completely different server and still let them access your FM Web Folder. It's a tricky situation. A hacker could host pages on another server and access your database.

Do you really need to have all your pages in SSL? That's rarely the case. I guess one needs to know if it's necessary, and if it is then you can do it yes.

[Krishan]

quote:

---

Originally posted by Proton:

I got another article from Filemaker's site showing you how to keep your web pages on a completely different server and still let them access your FM Web Folder.

---

Would you be able to email me the article link? I guess it's a worry if many people learn how to do this. But I'd really like to know what I'm up against.

When you say that hackers can copy your pages, do you mean by viewing and copying the source code? Or do you mean actually downloading the web pages from the FMPro Web folder? Disabling right click will hopefully prevent some hackers from viewing the source code.

Is SSL more costly or more complicated to use if you secure all your web pages?

[elvis_impersonating_penguin]

quote:

---

Originally posted by Krishan:

Disabling right click will hopefully prevent some hackers from viewing the source code.

---

any hacker worth anything isnt going to be stopped by a no-ricght-click script... i am not a hacker in any way, shape, or form, and i know how to get by no-right-click scripts..

[Krishan]

Well, I use a mac so there's no way of disabling my right click (...what right click?). I just meant that it would prevent some people from viewing the source. If you use a pc, how do you get around the no right click?

[ May 25, 2001: Message edited by: Krishan ]

[elvis_impersonating_penguin]

there are alot of ways to get around no right click.. just depends on how the script is written..

ussually you can hold down the right mouse button, press the space bar to get rid of the alert (while still holding down the right button), then release the right mouse button when the alert is gone, and the menu should pop up

there are other ways.. but that is the best way around it...

[ May 25, 2001: Message edited by: bman ]

[Anatoli]

To write CDML page hosted on another machine?

If you do not protect your databases, then everyone can use anything, HTML/CDML page, his/hers FileMaker etc.

You cannot do it with my databases - they do not exist on web.

To disable RightClick provides no security (or 1% only), but makes hacking not straightforward job, but more annoying.

Again, we are not hiding CIA secrets in FileMaker. We just want to have smooth ride, that is all.

[proton]

From most of the research I've done on the web, it appears that though there are some security holes in Web Companion, Filemaker Inc. is right on top of them, and issues patches/updates to web companion. Once you update in a timely manner, you should be pretty okay when it comes to security in Filemaker.