× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2005

RE: Green-screen versus browser

On Tue, 2005-04-26 at 14:14 -0500, rob@xxxxxxxxx wrote:
> I am sure that someone like James who has written a 5250 application for 
> windows terminals might be able to tell you how easy it would be for such 
> an application to trap id's and passwords and store them on a file on the 
> PC.  Or record any data entered on a line following the text "SSN" or like 
> data.  Twinax can be sniffed, but let's face it.  Most people use 5250 
> emulation programs on network cards.  5250 traffic can be sniffed just as 
> easily as any other network traffic.  Therefore I don't find it anymore 
> secure.
I believe it's not difficult.  I'm sure we could examine the source code
for tn5250 to get the exact semantics.

Someone made the statement that 5250 apps are more secure than browser
apps.  Then the question got asked: why?

I think 5250 apps have certain advantages, namely that they don't
*require* a PC HTML browser to run them.  e.g. You *can* run them on a
terminal.  Not that you have to, or that most folks today even do.

Then, I got thinking about whether or not a tn5250 client is more or
less secure than a browser client.

Browser clients have had spectacular security failures in the past, and
if the programming of the application gets just a bit sloppy, are
susceptible to application attacks, like the sql injection attack: 

<http://www.samag.com/documents/s=9658/sam0505h/0505h.htm>


What I got to thinking about was this type of browser attack:

<http://www.imperva.com/application_defense_center/glossary/parameter_tampering.html>


And how it might relate to a compromised 5250 client.  Folks who code
browser apps better program defensively and never trust data coming in
from the web client in order to have a secure application.

There is no such mindset in the green screen app world.  I think RPG
programmers generally trust that their hidden fields and conditioning
indicators get respected by the 5250 client, and don't give a thought
that they might get compromised.

For the most part, I think that application attacks aimed at a 5250
application are quite doable.

Of course, you still have to be able to *log in* to the machine and run
them. 



> And I am sure that James has high ethical standards, but what is to stop a 
> virus on your machine from replacing the code
Nothing...

Usually, not worth the bother, because the traffic is generally already
'in the clear'.



--
Regards,
Rich

Current Conditions in Des Moines, IA
Overcast
Temp 50F
Winds out of the North at 21, gusting to 29mph

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.