RDS Security Problems?
Erki Esken posted a comment on Ben Forta's blog asking if the source to the RDS plugin for Eclipse would be released. Forta's response was:
"But, my gut feel is that it would not be a good idea to fully expose the source for RDS as that may create potential security problems."
Wait a second there. I can understand that Macromedia may not want to release the source for business reasons. I have no problem with that. But suggesting that the the source code would create security problems for ColdFusion, well either the security problem is there, or it isn't. The source code isn't going to create the problem, and keeping the source code for RDS closed isn't going to make it go away.
Now I know that Macromedia has recommended that folks disable RDS in production as a best practice in various technotes. But they also state on their web site:
ColdFusion RDS allows developers to securely access remote files and data sources, and debug CFML code.
Macromedia Technote: 17276 second paragraph.
My concerns are this:
- If there is an actual security problem with RDS besides folks authenticating in plain text (if your not using SSL) that Macromedia knows about, then ethically they should release a patch, and come forward with it.
- It is published on their web site that the protocol doesn't send the passwords in plain text, so this is nothing new. Since Ben said it would "create potential security problems" this suggests that he may be talking about something that isn't published already.
- Many people do infact use RDS, despite best practice, my poll showed that 40% of my readers use RDS.
- Macromedia is sending a mixed message by saying its secure, but you should disable it for security reasons.
I'm hopeful this can be resolved with another comment by Ben. I'm not trying to cause trouble here, it just doesn't sit well with me.
In closing I want to mention that I think its great Macromedia is building this plugin, I don't have a problem with it being closed source. Don't get me wrong, I'd love to see the RDS protocol open, but I'm not going to hold my breath.
Update: Ben has cleared up things in his blog post, please check it out.
I'm going to be out of town this weekend, so I won't be able to reply to any comments, until sunday night or monday.
- CFSummit 2016 Slides - October 17, 2016
- Scope Injection in CFML - March 3, 2015
- New HackMyCF Features - October 24, 2013
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
- Learn about ColdFusion Security at cfObjective 2013 - March 6, 2013
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained