A lot of developers, emailed me about the "technique" we use to encrypt the access to WEB Services, in the Connection Manager.

Developers seemed to like the "dual" approach, but be carefull, there are a lot of "holes" here ...

The most important one is that one of the keys MUST be embedded in both the Connection Manager and our applications - so the apps may be a target of "reverse engineering" or an "angry" employee.

Also, if you check the code, you will see that we have NO encryption, when sending back the connection info array to applications.

We did this to "encourage" developers to think of their own "encryption code" and of course add it also to the info sent back.

The most important question we where asked, was: should we talk about the encryption code in the forums?

The quick answer is YES - there is NO other way to find the "holes" in your implementation.

Of course, the best option would be to use RSA or Elliptic Curves ...