FMP 8.5, Win or Mac:

What security issues/concerns are there with use of Web Publishing of a
FileMaker database?

I know that the usual account names and passwords apply. So there is
some protection. But what about other vulnerabilities?

Is it possible for packet sniffers to read the data in transmission, or
discover the passwords?

What is the risk of this? How serious?

What can be done to eliminate or reduce these vulnerabilities?

I have heard of SSL encryption but don't know much about it other than
it is used with banking transactions, credit card ordering, etc. Would
this eliminate these vulnerabilities? What does it take to make use of
this?

The sensitive data of concern in my solution is personal information on
individuals, including name, Social Security Number, birthdate, address,
phone number. The concern is invasion of privacy and possible identity
theft. No information about bank accounts or other financial accounts is
involved.

Comments? Thoughts? Advice? Resources for learning?

--
For email, change <fake> to <earthlink>
Bill Collins

On Jun 28, 6:34 pm, Bill <bbcoll... (AT) fake (DOT) net> wrote:
Yes absolutely. At least for data. I'm not sure about user/names
passwords via IWP.

It really depends on who is accessing the site, and from where.

Use SSL

You need an SSL certificate, and you need to host the database via
SSL. (https vs http in laymans terms)
I seem to recall they talk about SSL in the manual.

You can also put the website on the lan (e.g. make in an intranet),
and then require people log in via a VPN before connecting to the
site... if you need another layer of security, but SSL is probably
enough.

-Dave

I use IWP. Presumably, this is a form of web publishing so the issues
apply.

The point of IWP is to serve a file directly to others from one's
computer.

How does one make IWP serving of a file secure using SSL ?

Marmot

On Jun 29, 3:00 am, thdyo... (AT) googlemail (DOT) com wrote:
SSL is really a function of the web server not Filemaker.
You need to enable SSL with IIS (on windows) or Apache (on os x).

There are lots of resources on the web that cover doing this. Google
is your friend, as is the Microsoft (or Apache) forums and knowledge
base.

Essentially, first you need to obtain an SSL cert, run the Web Server
Certificate wizard in IIS to install it, and enable SSL for the site.
Filemaker IWP runs on the 'default web site', so that is the site you
need to enable SSL for. Filemaker doesn't really know or care if SSL
is present or not.

There are some organizations that will issue SSL certs for free, but
the users browser won't generally recognize them as being from a valid
certificate authority, and will prompt the user to accept them. (For
it be accepted it needs to be issued from a company in the browsers
'root certificates' and each browser comes with its own list. (which
is periodically updated -- e.g. via windows update). A free cert is
fine for internal users, as they merely need to accept the cert the
first visit. But if you are exposing the site to the general public
you probably want to shell out for a cert from a bigger certificate
authority (represented in the root certs) so vistors won't be
challenged with a warning message.

-regards,
Dave

On Jul 1, 7:45 pm, d-42 <db.pors... (AT) gmail (DOT) com> wrote:
thank you for explaining it

Marmot