[Rets-dev] Username/Password and security policies
Stuart Schuessler
sschuessler at tds.net
Fri Mar 9 15:23:18 CST 2007
I do not believe I said it would prevent it. I said having a trusted vendor
partner along with activity logs HELPS to prevent it. If your vendor
partner is trusted and the methods of exporting the data from the client are
approved then the MLS has more control over the data. It is not prevented
but it is much more secure than opening the RETS server to any client with a
valid login which is the case if client authentication is not implemented.
Stuart
-----Original Message-----
From: Jeff Brush [mailto:jeffbrush at hotmail.com]
Sent: Friday, March 09, 2007 4:07 PM
To: 'Stuart Schuessler'; 'Colby Ackerfield'; rets-dev at rets.org
Subject: RE: [Rets-dev] Username/Password and security policies
Stuart Schuessler wrote:
> You probably would want to implement the client authentication as well.
> Just checking the user-agent is easy to fake. A person can do it with
firefox. If
> you do not implement the client authentication then anyone with a login
to the MLS
> system and access privileges can download your entire database and sell
it to a
> moving company or any number of data aggregators.
How are client authentication passwords really any less easy to fake?
And how does client authentication prevent the user from selling the data?
At best, client authentication (the RETS-UA-Authorization header in RETS
1.7) provides a method for MLSs to limit which client applications may
access their systems.
Jeff Brush
Ronin Technologies
More information about the Rets-dev
mailing list