Tim Dietrich

Custom Software Developer

Home Services Portfolio Blog About Contact Newsletter

Fireball: Security and Update

Here’s another update on the progress of the "Fireball" technique that I wrote about a few weeks ago. One of our big concerns with the technique is (or was) security. Let me explain with an example. Here’s what a typical Fireball call to the server looks like:

httpspost://someuser:somepassword@someserver.com/fmi/xml/fmresultset.xml?-db=SomeFMDatabase&-lay=Fireball&-lay.response=Fireball&-script=Fireball&-findany&-script.param=<fireball payload>

Notice that we’re using "httpspost," a feature added to the "Insert from URL" script step in FileMaker 13. According to this technote, "all the text after the first ? character is sent as the POST data." That means that the parameters being used to make the XML call, as well as the actual "fireball" payload (which in many cases includes data) is being encrypted. So far, so good. However, my concern was with the URL up to that point (everything up to the question mark). As you can see, we’re using HTTP Basic Authentication (BA), and passing the credentials in the URL itself. It sure looks like those would be passed as plain text. And that’s not so good. After doing quite a bit of research, I found this post on StackExchange: "Is BASIC-Auth secure if done over HTTPS?" There’s a lot of back and forth in the thread, but the good news is that because we’re using HTTPS, then the credentials are (supposedly) safe. Here's a second post that seems to validate that claim: "HTTP Basic Authentication credentials passed in URL and encryption" As one responder wrote, "The entire communication (save for the DNS lookup if the IP for the hostname isn't already cached) is encrypted when SSL is in use." I had always been under the impression that anything in the URL, up to the point that parameters were being passed, was fair game. Which meant that credentials being sent via HTTP Basic Auth were in plain text, regardless of whether or not they were being sent over HTTPS. You learn something new everyday. So the good news is that our plan for handling credentials in Fireball payloads is no longer needed. We had a rather complicated solution on the drawing board - one that involved passing the "real" credentials in the payloads, and then using them with the Re-Login script step to perform a second authentication. Thankfully, that’s no longer necessary. In any case, we’re now putting together some documentation on the Fireball technique, as well as sample files. Look for another update in the next few days.