RDS Security Problems?

September 09, 2005
coldfusion

Erki Esken posted a comment on Ben Forta's blog asking if the source to the RDS plugin for Eclipse would be released. Forta's response was:

"But, my gut feel is that it would not be a good idea to fully expose the source for RDS as that may create potential security problems."

Wait a second there. I can understand that Macromedia may not want to release the source for business reasons. I have no problem with that. But suggesting that the the source code would create security problems for ColdFusion, well either the security problem is there, or it isn't. The source code isn't going to create the problem, and keeping the source code for RDS closed isn't going to make it go away.

Now I know that Macromedia has recommended that folks disable RDS in production as a best practice in various technotes. But they also state on their web site:

ColdFusion RDS allows developers to securely access remote files and data sources, and debug CFML code.
Macromedia Technote: 17276 second paragraph.

My concerns are this:

  • If there is an actual security problem with RDS besides folks authenticating in plain text (if your not using SSL) that Macromedia knows about, then ethically they should release a patch, and come forward with it.
  • It is published on their web site that the protocol doesn't send the passwords in plain text, so this is nothing new. Since Ben said it would "create potential security problems" this suggests that he may be talking about something that isn't published already.
  • Many people do infact use RDS, despite best practice, my poll showed that 40% of my readers use RDS.
  • Macromedia is sending a mixed message by saying its secure, but you should disable it for security reasons.

I'm hopeful this can be resolved with another comment by Ben. I'm not trying to cause trouble here, it just doesn't sit well with me.

In closing I want to mention that I think its great Macromedia is building this plugin, I don't have a problem with it being closed source. Don't get me wrong, I'd love to see the RDS protocol open, but I'm not going to hold my breath.

Update: Ben has cleared up things in his blog post, please check it out.

I'm going to be out of town this weekend, so I won't be able to reply to any comments, until sunday night or monday.



Related Entries

1 person found this page useful, what do you think?

Comments

I think you missed the point on this one, see my reply to your comment in my original post.
Thanks for clearing that up ben, I've updated this entry to reflect that. -pete
why dont u shoe d birth date. the year is incorrect. i thought 4 b"date no security wud be there dats y i filled wrong year. so pls. let me fill d correct date. thankyou.
Unable to go to trackback url - "missing url variable" Wanted to say I'm interested in what ben says about RDS - I must admit great frustration regarding this issue. We have several years into CF CMS but have never been able to use CF/RDS w/DW. Sad truth is that virtually all hosting companies disable RDS on shared hosting for macromedia's own warnings. It is my opinion that many mac developers go asp vs. cf because they can connect and develop with dreamweaver. Everything we have built with cf we have handcoded. Emancipate me.
I need to change my Birth date on Yahoo.com Please
i need to charnge my birth data please

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?