Is POST method inherently "secure" and if not, can it be easily made secure or should I use a different protocol entirely?
Please back your statements up with explanation or reference unless they are simply opinion.
The system:
.NET program collecting data with a QR scanner
a web server running CentOS 6
a database on the server to store scans in tables based on QR type.
not all QR types are known now so a new table is created when a new QR type is to be sent.
data needs to get from QR scanner to database as quickly as possible but assume connection is unreliable (think cell phone tethering)
Feel free to comment on my (incorrect?) assumptions about the validity of these other methods I've discounted.
opening a port for MySQL and pushing data in directly - makes IT people panic even if the user has very restricted privileges although I don't see how it's insecure. (also see comments on ssh + MySQL)
using ssh tunnel to insert to MySQL - it's quite conceivable that the database structure will change in the future and I want all the MySQL work done server side so it's easy to modify.
making my own listener on a port on the server and defining my own protocol - seemed daunting at first glance. I know C++/C/Python/PHP so I could do something like this if POST is bad and listener is easy. Don't know where to start or scope of this method.
Example of data packet to be sent. (This is what my .net DLL must receive from the previous person) [QRTypeVersion, HeaderLength, H1, H2, ... DataLength, D1, D2 ..., Comment]
Some good reads:
There are some really good comments about security.
Is either GET or POST more secure than the other?
how to secure POST method without using SSL?
How secure is a HTTP POST?
Hope this helps.
Related
I'm having a problem with my re-frame application. I can't figure out how to connect it to a local database on my machine.
In other applications I've written, I've had to add the database specifications (username, password etc) into profiles.clj. Should I create profiles.clj and add the location of my database there? And does this mean I have to update the project.clj as well?
Finally, do the queries to the database, such as GET and POST requests, go in db.cljs.
I apologise if these questions are trivial but after reading the documentation several times I am still a little confused
re-frame is a framework for building client-side web applications. You won't be able to do generic database queries as most databases don't support direct access from a browser.
I'm having a problem with my re-frame application. I can't figure out how to connect it to a local database on my machine.
You probably need to create a middle API tier that accepts REST requests from re-frame, and queries the database, returning JSON back to the client.
Finally, do the queries to the database, such as GET and POST requests, go in db.cljs
Those are probably queries to your API tier? They can live anywhere that you would like.
One thing to clarify: re-frame has an app-db that it uses and refers to. This is a client-side database of local state that lives in your application. It doesn't have a connection to the backend, at least not without you writing more code for it. It sounds like you might be confusing these?
I'd like to run a script, typically in PHP or MySQL since it involves changing a Mysql db table when an email arrives at my exchange server (2010).
The server holds IIS7.
So in short:
Email->Exchange server->changes a table in MySQL DB
Notes:
Not looking for a script that connects to the e-mail via POP/imap
I'm looking for a kind of trigger that occurs in the server
Webservices or Transport Agent seem complicated If you can supply an easy example I'll accept it.
If you have a Sink example that runs on Exchange 2010 please support it with careful explanation and examples/links. (step by step if you have to)
Other scripting languages accepted.
Possibly not exactly what you are looking for but Postmark offer an incoming mail service that allows you to do this kind of thing.
Their API is pretty good and very well documented. My understanding is you can set up webhooks that will allow you to do what you're looking for.
I hope this is some use to you.
I just realized that there is no best way to hide MySQL string connection password in my executable file, especially in JAR file. Even encrypting it in EXE would only slow down the process (although I'm not sure how much time would it take to get an encrypted password from an EXE file).
So, from my understanding, I need something in the middle that would do the add, edit, delete etc to the database. Seems like a job for REST API or maybe SOAP services.
My question is, which one should I use? Or should I use something else? I was thinking Zend Framework to create those REST APIs. Then, I would use Qt to create a desktop application to call those APIs. But if I proceed with REST, my application would be a 3 tier application. Wouldn't it be better if I just create a web application? Maybe I should just stick to desktop application call those APIs since the application is already finished and I just need to change from connecting directly to MySQL to calling those APIs to perform tasks rather than changing the whole application to a web.
Any advice would be very helpful. Thanks in advance.
UPDATE:
I'm looking for a security that would protect my MySQL password connection.
Obfuscator would only obfuscate the code, it won't hide my string database information which In my opinion can be easily found using grep after decompiling the JAR using tools like JAD.
About my application:
Using a centralized MySQL database
Thousands of user
Contains sensitive information
My client uses Linux and Windows
My server uses Linux
All access are done in LAN, no outside connection (from Internet etc)
My current solutions (comments please):
Using REST APIs (safer since MySQL password is in the server)
Using Qt with encryption to the password
It depends on what kind of security are you looking for. Is this to protect the application from the user? To protect the user's data from other users? To protect multiple users' data from one another? To protect the user's data from an attacker?
In a lot of applications there's nothing wrong with storing the database login credentials in plain text. In other cases, you might try:
encrypting a user-chosen database password using a reasonably strong algorithm, e.g. Blowfish, using a hard-coded key;
having the user provide the password and "log in" to the program each time;
storing the database password in plain-text, but encrypt the data using a hard-coded key;
same as the above, but encrypt each user's data using their own provided password;
same as 2 but store each user's data in their own database with their login info as the database credentials;
storing the data on a secure remote database that users have to log into to access via a SOAP API;
using the native filesystem permissions to protect the configuration file holding the login credentials;
same as #1 but rolling your own really elaborate key-generation system: e.g. run the machine SID or a hardware id through MD5 using a randomly-generated salt, and then using the result to encrypt the login credentials.
Remember, there's no such thing as perfect security, so whatever you settle on doesn't need to be unbreakable. It just needs to be tough enough to break to make the hassle of circumventing the security mechanism exceed the value of the data. So, for example, if the data is a list of the top scores in Minesweeper, then ROT13 would probably be enough.
Edit:
I just want to add that, even if you can't get around having to hard-code an encryption key in your application, there are obfuscators for Java, .NET, and most other popular languages/frameworks. One of the key uses of these tools is to hide sensitive hard-coded strings like encryption keys.
Edit 2:
Given the additional details about the app in question, only 1, 6 and 8 would apply in this case. And a SOAP API is more appropriate for #6 as George rightly pointed out.
I also want to mention that there are Java resource obfuscators that encrypt string literals. This is just one example.
It pretty much depends in what environment your app runs
a) db and client local
b) db and client in a local network
c) db is in the internet
my two cents:
a) I would create a single db user and wouldn't use a password but restrict acces to localhost
b) direct connect to the database is fine but I would each user have to login with his own password and grant only the permissions he needs.
c) It's a bad idea to allow mysql connections to a public server. In this case webservices would be a good solution.
Anyway if your case is b or c I would stick with a login dialog for the user.
Maybe you should have a look at this http://www.greensql.net/ tool.
It is like a firewall but for mysql/postresql
So you can deny anything and only allow queries you want to.
If you are using Java for implementing your database desktop application, I would recommend to use Java DB as the database. There is a few ways of securing it, and there are alternatives to having a password in the connection string. I would recommend to read Java DB Security - Security Features in Java DB Release 10.4
It is easy to deploy your application with Java DB, since you can have much of it embedded in the same jar file. I have used it in a Point of Sale application implemented in Java.
Hi I have a question regarding security, and web services.
I need a web service to provide an interface for the underlying mySQL database. I am trying to get a Blackberry Application to store data on the web servers mySQL database through a web service.
My question is, how can I ensure that the bb-application is the only thing that is using the web service? The web service will essential insert data into a table. I want to ensure that only the bb-application is allowed to use this service and not someone who figures out the service and starts spamming my table.
Any pointers, best practices or links are greatly appreciated.
Also what sort of web service is best in this scenario?
Take a look at basic authentication over SSL. Configuring the application to include the username/password in the header should be fairly straightforward and the SSL connection will ensure they're not being transmitted in cleartext.
Use net.rim.device.api.crypto.HMAC to implement HMAC authentication and validation. Establishing end to end SSL connections on a Blackberry can be problematic and dependent on wireless provider support unless your users are activated on a corporate BES (which I srongly recommend as part of the solution if you want robust security).
I am going to assume that the BlackBerry application is made by yourself as well. How you can then do this is by creating a sequence or hash that only your application can create, that the web service can verify. For instance, in the beginning of the process, or better, for each step the web service sends down a key sequence, which maps to an internal dictionary within your application on the method to make the unique hash.
The flow would then be as follows:
Perform data task in BB application
Ready to transmit data to web service
Create unique hash from data + your own information from the mapped dictionary
Transmit the data with the key
Web Service verifies the key. If validation fails, it discards the data completely, if succeeds, it will then do what it needs to do.
Continue.
HTH
Disclaimer: Assuming this is an open ended WS.
Also see my answer here.
I would go with a REST web service over HTTPS it would take your problems away. I dunno anything about blackberry apps so I can't give u any pointers on how to use HTTPS in that platform.
If you are creating a SOAP web service then you want to read about ws-security.
Others have indicated using SSL to secure the site. However, that is only one part of the puzzle. Kyle was close with the second, but didn't quite cut it.
The answer is that every single transaction which is posted to your web service must contain some type of authorization key. That key can be pre-shared and baked into the application OR it can be acquired through some other means and set up as part of the application install / configuration process.
Nearly all companies which provide web services online following this method. The idea is that regardless of the underlying protocol (ssl for example) you have to validate that the request is indeed coming from an authorized device / program. Some vendors have the users create a unique key for each user, some for each device, and others just 1 key for the entire organization. Regardless of how deep you take it there is in fact a key.
The key usually isn't that large. It might be anywhere from 15 to 40 alphanumeric characters.
I'm developing a game coded in Flash AS3 and need to read/write info to an SQL server.
Currently, for testing purposes, I use ASQL which is very simple and robust, but it needs a direct connection from the client machine to the SQL server (port 3306 open and allowing wildcard username to connect from anywhere using a password) and the worse, the .swf format itself is not encrypted and a all decompilers will let you extract AS3 code, which means a password stored in code.
I have rounded up a few options but they all lack security measures:
AS3 code sending a POST req to a PHP page which connects to the MySQL server
Use amfphp, but the AMF protocol is still sniff-able
Keep current method and force users to have outgoing port 3306 open, which may confuse costumers.
Help/tips/discussion would be highly appreciated.
You can use HTTP(S) with authentication with e.g. PHP. Don't make the script a wrapper to the SQL connection, as this'd ruin the point of the script (essencially); have custom commands as the protocol (e.g. add/update high scores).
Depending on the number of commands needed I think you should choose option 1 (with only one or a few commands) or option 2 (if you have some more and complex commands to send). Don't open your database to the public internet.
What is the problem you are trying to solve/secure? If all your application (game) logic is at the client you cannot prevent people from faking results. The client is never to be trusted and no securing of the line (https or any other encryption of the communication) will help that -- that will only keep other people from eavesdropping.
If you are trying to secure the posting of high scores or game state - to my knowledge you can make it hard to fake them but you cannot make it impossible unless you move at least some game logic to the server.