## The same is the suggestion i gave to the company which they rejected it due to the reason that there are lots of modules codes to be modified which is a tedious work. Thats s the reason why i have been developing an alternate solution.
anyway, I will express my experiences once again on this issue to the company. let me see what the outcome is.
Retired horse trader.
Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
James Sabre wrote:
## The same is the suggestion i gave to the company which they rejected it due to the reason that there are lots of modules codes to be modified which is a tedious work. Thats s the reason why i have been developing an alternate solution.
anyway, I will express my experiences once again on this issue to the company. let me see what the outcome is.
If your security advisors are saying that HTTPS is insecure then the whole of Internet finance is insecure. Internet finance is not insecure. The only way that a proxy can do such a man-in-the-middle attack is if, during the https handshake preliminaries, it presents a certificate signed by someone you trust. So, the proxy would have had to be installed by someone you trust for them to be able to see the parameter values.
You need to hire a reputable security advisor because as it stands you are trying to solve a problem that does not exist.
Wit kobsutthipoonchai wrote:In my opinion, POST data should be encrypted before being sent to HTTPS in order to solve this problem.
Ulf Dittmer wrote:Secondly, never -and I mean never- roundtrip DB key IDs from the server to the client and back, unless they're encrypted on the server and you can be sure that the client has no way of decrypting them. The client can't be trusted. Some attacker -not someone in the middle, but someone at the client side- will tamper with those IDs, so don't send them in cleartext. Even better, don't send them at all, but keep them in a server-side session.
Ulf Dittmer wrote:Isn't that exactly what I said?