RLord,

I like your idea of the extra parameter in the URL.  That sounds like a simple but reasonably effective added layer of security.  I think I'll do that and then just do periodic scan of the source IPs.  If it looks like there's an issue, I'll worry about more protection then.

Thanks,

Jim

this is a really clever idea, I'll be doing the same.

Adding a Secret Code in an HTTP Get is no more secure than not doing it. Anything in a get will show up in things like firewall and proxy logs. They are easy to get. You can find lots of those logs by just Googling. 

This is why RIM makes the licensing query in the form of a Post. Post data does not generally show up in logs out on the net.

Your only real protection options are to use SSL on the connection and to respond only to known IP addreses of RIM. Then you should be good. 

It would be nice if RIM allowed us to configure a secret key to be included in the Post data... But I would not do it in a URL (HTTP Get).

I agree with the above post. Adding a parameter in the GET request is quite easy to intercept, even with POST if the contents are not encrypted it would be easy to second guess for a hacker.

You can easily obtain the range of IP addresses RIM uses, takes a bit of looking around but as far as I can remember its something along the lines of:

a.b.c.[x-y]

so long as "a.b.c" match RIMs range you should be good

You have to really weigh your security options and see if its actually worth the extra time and hassle. I wouldn't worry about it too much, unless its a really expensive and/or desirable app.

To find the addresses of RIM, just look in the headers of their request to get their IP. Then go to ARIN and do a whois lookup on the address to find the network. Allowing any address from that network would be a safe bet...