8 Replies Latest reply on May 19, 2014 4:59 PM by oliver

    WebDirect and security concerns

    oliver

      Recently, I have spent some reasonable time to tryout the WebDirect feature, which is a great initiative from Filemaker and comes with big potential and big promise.

       

      Under the situation that FMS 13 have the secure connection and allow progressive download options turned on. You will find that the secure ssl connection may be compromised under certain web browsers such as Opera in mac os X and Safari in iOS. I understand these browsers are not officially supported from the document. But this can create potential data leakage when people not aware of this.

       

      My finding showed whenever there is interactive content, such as video and pdf file, in container field that be put on layout. The ssl connection will swtich back to no ssl connection from some browsers immediately when interactive content need to be showed. This is a nightmare and It comes to my concern that WebDirect may fail to protect the data when required. Even I try to swtich to other layout with no interactive container field content after, the ssl connection on browser will not get turn on again. I have a big concerns here.

       

      I hope Filemaker engineer can look into this. This can potentially lead to data leakage if the scanerio not being take care.

       

      It would be great if any developers can share your view here.

       

       

      Thanks.

      Oliver

        • 1. Re: WebDirect and security concerns
          taylorsharpe

          I suspect that you are not fully understanding how the security works, but I can't answer you and it is a valid question to ask.  I assumed the SSL connection was persistent unless you didn't set it in the FM Admin (e.g., allowing progressive downloads which I assume you have made sure you are not doing). David Head is the main security guy at FileMaker.  I suggest you contact him or his staff. 

          • 2. Re: WebDirect and security concerns
            oliver

            Thanks Taylor,

             

            Do you mean enabling progressive downloads can compromise persistent SSL connection in FM? It can be the case in here.

             

            My observation is whenever fm layouts with container field in video content included, the layout page will switch to no SSL webpage. Would this be a by design behaviouir?

             

            In chrome, I can see the video streaming content will show as a http URL instead and direct user to a seperate browser tab, a feel this is a reasonable design.

             

            Any comment? I will try to contact Filemaker to follow this.

             

             

             

            Oliver

            • 3. Re: WebDirect and security concerns
              taylorsharpe

              My understanding is that allowing progressive downloads in the security tab allows container data to downloaded without encryption while the rest of the fields are all encrypted.  I do not understand how this works under the hood and maybe a security expert will speak up and explain it.  But if you have checked in the Security tab the button "Enable Progressive Downloading", you are allowing unecryptted http connections for those container.  If you want everything encrypted, then uncheck the security tab box "Enable progressive downloading" and you'll have everything encrypted. 

              • 4. Re: WebDirect and security concerns
                oliver

                You are describing exactly what I expect to behave in webDirect. The result observed from some browsers (e.g. Safari and Opera on Mac OS 10.9) are not exactly the way suggested.

                 

                It would be helpful if secruity expert can speak up to clarify this.

                 

                Thanks.

                • 5. Re: WebDirect and security concerns
                  wimdecorte

                  The admin console specifies this:

                  "Use Secure Sockets Layer (SSL) to encrypt data passed between FileMaker Server components and FileMaker Pro, Go, and WebDirect clients. Progressive downloading allows clients to use interactive content as it is being downloaded. Progressive downloading uses unencrypted HTTP connections, even if the Require secure connections setting is enabled"

                   

                  As to the WebD session continuiing in unencrypted state after a progressive download is done, could that just be the browser not providing good feedback? Do a test with a packet sniffer to be sure.

                  • 6. Re: WebDirect and security concerns
                    LSNOVER

                    Oliver:

                     

                    I posted a similar inquiry last week.  The issue is arising when using Interactive PDF content in WebDirect, with Google Chrome (which is supported).  There is a tech. note from Filemaker, but it's not fully clear.  By default, Chrome shows a link to the PDF, instead of the interactive field.  If you click on the link, Chrome downloads and displays the PDF in a separate Tab.  The workaround is to click into the "Shield" icon shown in the right of the Chrome URL bowl, and set it "allow potentially usafe script to run", or something to that effect.  Once you do this, the interactive content begins to work as designed.  However, Chrome puts a red slash through the HTTPS part of the URL.

                     

                    The question I asked is, when a user does this, does this disable SSL?  Does it disable it only for the PDF?  Is the rest of the content of the page still secure?   Is the PDF any more or less secure than using the Link, prior to enabling the "unsafe script"?  

                     

                    I agree, that their should be a means of keeping the content fully SSL encrypted.  

                    • 7. Re: WebDirect and security concerns
                      Malcolm

                      As to the WebD session continuiing in unencrypted state after a progressive download is done, could that just be the browser not providing good feedback? Do a test with a packet sniffer to be sure.

                       

                      That would be bad.

                       

                      When David Head was telling us about the wonders of Server 13 he did say that progressive downloads used the http port. I presume that he regards this as a deficiency in the product because he spoke quietly and moved quickly to the next item in the agenda. In contrast, when he’s on safe ground he talks loudly and takes questions.

                       

                      Malcolm

                      • 8. Re: WebDirect and security concerns
                        oliver

                        I can understand those container content fall into progressive download via http is not encrypted as mentioned on the doc. How about the rest of the content on the same page?

                         

                        Wimdecorte, appreciate that can be the browser feedback issue. There could be some ways to avoid this. As for WebDirect, it's approaching the public by design and not within a controlled environment. Without a deep concerns on how to handle the data in a secure way can introduce some bad result.

                         

                        Thanks