RE: Green-screen versus browser

[Scott Klement <midrange-l@xxxxxxxxxxxxxxxx>]

> I stand corrected.  This means that 5250 apps *are* indeed more safe
> than browser apps because hackers cannot exploit hidden fields and such.

Depends on what you consider a "hidden" field. If you mean P-fields or 
H-fields in DDS, then you're right, they're never sent to the client so 
there's no danger.

However Non-display fields (those with DSPATR(ND)) can be viewed by a 
rogue 5250 emulator.  People commonly use this feature to allow fields to 
be viewable to some users, and not to others.  (By contrast, hidden or 
program-to-system fields can never be displayed on the screen)

The other area where this might be a concern is application trust. iSeries 
programs generally assume that 5250 screens will behave the way they're 
told to behave. Web programmers are usually more paranoid.

As a result, a rogue 5250 emulator can easily crash an RPG program, or 
send it data that will cause strange results.

I think it's a mistake to say that 5250 programs are more secure. In fact, 
the STRPCO/STRPCCMD ability by itself makes them significantly less secure 
than a browser.  In fact, if you look at the major security holes that 
have been found in IE recently, pretty much all of them are major holes 
becuase they let you run a program on the client PC. In 5250, you don't 
need a convoluted work-around to infect the remote PC, it's done by 
design!

Security is not a reason to keep 5250.