How well is code obfuscating in terms of web security..

Hi,
I know, there are many topics about websecurity etc.
In situations where SSL cannot be used, for whatever reason, I find it very interesting how crackers are able to get unauthorized access to websites. With this in my mind, I try to protect a website with all means, knowledge available to me.

Questions I am wondering about are.
1- Getting a user´s password using sniffing methods would main breaking in into the ISP, since information can only be traced at that particular point. How often does this really occur, and does it pose a real thread for websites in general?

2-If someone IS capable of sniffing traffic from your website, I am sure they must filter information, since reviewing every bit of information sent would take ages to validate on relevance. Would obfuscation of data be an answer to this?


Background-
I´ve created a encryption-decryption actionscript, using flash MX, for passwords and usernames. This works very well, and I very confident that the username and password can only be ´cracked´ when someone can sniff-obtain the ´key´ on which the actionscript formula is based, PLUS can obtain the swf file, where the formula is written in. Specific programs however are able to view the actionscripts in swf files.

My concern is the key however.
The key I´ve created is sent to the client side, obfuscated like ?newmessages=234 where ´newmessages´ is really the key which is sent. The serverside saves this key in a session variable.

The key is hidden in a frame, and remains there until the users exits the website. When the user wants to renew it´s password, an encryption-decryption takes place, based on that key, hidden in the frame.

So again How well is code obfuscating in terms of web security?

greetings
Patrick

If somebody wanted to break your system, they would be unlikey to try sniffing your network for data - It's more likely that they would scan for open ports on your application servers, establish what services are running, and then start googling for root kits and exploits. It seems that this is the general route taken by today's common-or-garden script kiddies.

regarding the 'filtering' of network traffic for discernable data, I don't think piping tcpdump output through strings and redirecting to a file for a leisurely v-grep is beyond the realms of reason.

Incidentally, sniffing would not mean having to break into the ISP. it would simply require access to any point of the network which is carrying your data. If this means wardriving past your WaveLAN, physically installing a snooper, or just hotdesking in your office, then your data could be at risk

christo

By sniffing a network, do you mean LAN, and/or the traffic from the webserver, which is located in the office itself, to the ISP?

To my knowledge, data-packets from websites are scattered to many directions when passed the ISP. One packet may,physically go through Houston, while another may go through Singapore. However they all end up gathered at the same destination-computer.

At the office we purchased the latest Sisco firewall/router, hoping and counting it does it's job as it should. That's why I'd consider password hijacking outside our LAN, through sniffing, to be the next serious risk involved.

gr
Patrick