Alaska Software Inc. - what do you think, is this secure ?

	Author	Topic: what do you think, is this secure ?
	Hubert Brandel	what do you think, is this secure ? on Tue, 05 Apr 2005 22:58:25 +0200 Hi, i have a friend of mine with a little problem, he has got 5 small business locations with old clipper -> now Xbase++ apps with local data. The programm is not easy to change and the small business is to small to pay for VPN WAN lines with secure online connections. So i thought about that: Apache Webserver MySQL on the server CGI Scripts handles the data from apache to MySQL and back all behind a firewall with a DSL-Flatrate Open to the internet is only a virtual server on Port 80 - Transver data wich is crypted by Alaskas Crypt() function. - the client software put all data of a record in a string, and POST this string with a ID-string for DATA and command and a ID-string for which clients data where send. With loadFromURL()... The apache server and the client on server side just take the data and store it or accept the ID to load it back. If it is possible HTTPS is used ... I think this must be secure enought, what do you think ? Bye Hubert ---------------- My Homepage: german - www.familie-brandel.de/index.htm english - www.familie-brandel.de/index_e.htm
	Boris Borzic	Re: what do you think, is this secure ? on Tue, 05 Apr 2005 23:50:31 +0200 Hubert Brandel <hubert.brandel@gmx.de> wrote in news:vcghnIiOFHA.400 @S15147418: > If it is possible HTTPS is used ... Using HTTPS would be the easier and more secure method. Have a look at Xb2.NET SSL: http://www.Xb2.NET > I think this must be secure enought, what do you think ? You mean using Alaska's Crypt() function? That depends how sensitive the data is and how attractive it would be to someone. For example, I would not use it to transmit credit card numbers or banking info. The more secure way is to use SSL. Best regards, Boris Borzic http://www.Xb2.NET http://www.SQLExpress.net industrial strength Xbase++ development tools
	Phil Ide	Re: what do you think, is this secure ? on Wed, 06 Apr 2005 10:01:10 +0100 Hubert, > So i thought about that: > > Apache Webserver > MySQL on the server > CGI Scripts handles the data from apache to MySQL and back > all behind a firewall with a DSL-Flatrate > Open to the internet is only a virtual server on Port 80 > - > Transver data wich is crypted by Alaskas Crypt() function. > - > the client software put all data of a record in a string, and POST this > string with a ID-string for DATA and command and a ID-string for which > clients data where send. With loadFromURL()... > > The apache server and the client on server side just take the data and > store it or accept the ID to load it back. > > If it is possible HTTPS is used ... > > I think this must be secure enought, what do you think ? No - not unless you either use HTTPS/SSL or a VPN. However, you have hit on some important facts. Chiefly, this is a small company with a limited and known number of possible connections. You can use Apache, but my advice is to use Xb2.NET and its SOAP services. Since the number of connections is limited to members of the company, I would advise you use HTTPS. You CAN use self-certified certificates, just bear in mind that they can be spoofed by someone else. However, in order to use a spoof certificate, any cracker would also have to hijack your domain name. You can add further security by requiring client-side certificates as well, which should be signed either by the server-side certificate, or both server and client side certificates signed by a self-signed certificate. Once you have HTTPS enabled, you can ignore encryption since this is automatically handled at the socket layer. When possible, upgrade to a commercial server certificate - Thawte do a quick-turnaround cheap version which would be ideal for your situation, at around 120 USD for 2 years it is quite reasonable (check for latest prices!). As for the danger that someone will hijack your domain and/or crack your self-certified cert, consider the amount of traffic between the clients, the sort of business you are in and how high a profile your company has. Then consider the effort a cracker must make to be able to read your traffic, and you will have an estimate of the risk assessment. Note that 'newbie' crackers like low-volume sites to practice on! Incidentally, I've been experimenting with using SOAP-like routines in WAA that recieve FORM requests and return the data in an HTML page (rather than XML/XML). Using HRF it is very easy to handle returned data, and using HALit is particularly easy to create response pages. Requests are generated using my LoadFromUrl(). Regards, Phil Ide *************************************** * Xbase++ FAQ, Libraries and Sources: * * goto: http://www.idep.org.uk/xbase * *************************************** A fool and his money soon become a sysop!

Author

Topic: what do you think, is this secure ?

what do you think, is this secure ?
on Tue, 05 Apr 2005 22:58:25 +0200

Hi,

i have a friend of mine with a little problem, he has got 5 small 
business locations with old clipper -> now Xbase++ apps with local data.
The programm is not easy to change and the small business is to small to 
pay for VPN WAN lines with secure online connections.

So i thought about that:

Apache Webserver
MySQL on the server
CGI Scripts handles the data from apache to MySQL and back
all behind a firewall with a DSL-Flatrate
Open to the internet is only a virtual server on Port 80
-
Transver data wich is crypted by Alaskas Crypt() function.
-
the client software put all data of a record in a string, and POST this 
string with a ID-string for DATA and command and a ID-string for which 
clients data where send. With loadFromURL()...

The apache server and the client on server side just take the data and 
store it or accept the ID to load it back.

If it is possible HTTPS is used ...

I think this must be secure enought, what do you think ?

Bye
Hubert

----------------

My Homepage:

german  - www.familie-brandel.de/index.htm
english - www.familie-brandel.de/index_e.htm

Boris Borzic

Re: what do you think, is this secure ?
on Tue, 05 Apr 2005 23:50:31 +0200

Hubert Brandel <hubert.brandel@gmx.de> wrote in news:vcghnIiOFHA.400
@S15147418:

> If it is possible HTTPS is used ...
Using HTTPS would be the easier and more secure method. 
Have a look at Xb2.NET SSL: http://www.Xb2.NET

> I think this must be secure enought, what do you think ?

You mean using Alaska's Crypt() function?  
That depends how sensitive the data is and how attractive it would be to 
someone. For example, I would not use it to transmit credit card numbers or 
banking info. The more secure way is to use SSL. 

Best regards,
Boris Borzic

http://www.Xb2.NET
http://www.SQLExpress.net
industrial strength Xbase++ development tools

Phil Ide

Re: what do you think, is this secure ?
on Wed, 06 Apr 2005 10:01:10 +0100

Hubert,

> So i thought about that:
> 
> Apache Webserver
> MySQL on the server
> CGI Scripts handles the data from apache to MySQL and back
> all behind a firewall with a DSL-Flatrate
> Open to the internet is only a virtual server on Port 80
> -
> Transver data wich is crypted by Alaskas Crypt() function.
> -
> the client software put all data of a record in a string, and POST this 
> string with a ID-string for DATA and command and a ID-string for which 
> clients data where send. With loadFromURL()...
> 
> The apache server and the client on server side just take the data and 
> store it or accept the ID to load it back.
> 
> If it is possible HTTPS is used ...
> 
> I think this must be secure enought, what do you think ?

No - not unless you either use HTTPS/SSL or a VPN.

However, you have hit on some important facts.  Chiefly, this is a small
company with a limited and known number of possible connections.

You can use Apache, but my advice is to use Xb2.NET and its SOAP services.

Since the number of connections is limited to members of the company, I
would advise you use HTTPS.  You CAN use self-certified certificates, just
bear in mind that they can be spoofed by someone else.  However, in order
to use a spoof certificate, any cracker would also have to hijack your
domain name. You can add further security by requiring client-side
certificates as well, which should be signed either by the server-side
certificate, or both server and client side certificates signed by a
self-signed certificate.

Once you have HTTPS enabled, you can ignore encryption since this is
automatically handled at the socket layer.

When possible, upgrade to a commercial server certificate - Thawte do a
quick-turnaround cheap version which would be ideal for your situation, at
around 120 USD for 2 years it is quite reasonable (check for latest
prices!).

As for the danger that someone will hijack your domain and/or crack your
self-certified cert, consider the amount of traffic between the clients,
the sort of business you are in and how high a profile your company has.
Then consider the effort a cracker must make to be able to read your
traffic, and you will have an estimate of the risk assessment.

Note that 'newbie' crackers like low-volume sites to practice on!

Incidentally, I've been experimenting with using SOAP-like routines in WAA
that recieve FORM requests and return the data in an HTML page (rather than
XML/XML).  Using HRF it is very easy to handle returned data, and using
HALit is particularly easy to create response pages.  Requests are
generated using my LoadFromUrl().

Regards,

Phil Ide

***************************************
* Xbase++ FAQ, Libraries and Sources: *
* goto: http://www.idep.org.uk/xbase  *
***************************************

A fool and his money soon become a sysop!