Thanks for the s3 overview Ray. I was wondering how secure the s3 connection is? Specifically since the credentials are passed in the s3 URL. If packet sniffing http:// or ftp:// transmissions, the URL can be observed. If sniffing an https:// connection, the URL is not observable. Does it implicitly use an encryption protocol (SSL?) to obscure the credentials in the URL from packet sniffing cracks?

Thanks!

Right, the client connection is secure because the client doesn't require the accesskey/secretkey to pull down images.

But accessing s3 from ColdFusion does require the credentials. A cracker on the CF server, the CF network, or elsewhere along the network path to s3 could intercept the packets and observe the URL (and hence the credentials) unless the URL were encrypted en route. Since this is recommended connection method by Amazon, surely they must have secured the protocol, but I'm just looking for confirmation. They probably secure the authentication part of the connection, then pass an authentication token (kerberos ticket?) back and forth during the remainder of the session which would probably occur unencrypted. I suppose I'd have to look up the s3 RFC if there is one.

Obviously I completely overlooked the part where you said not to ask questions. Ooops. Sorry. I won't be offended if you delete.

The communication between the amazon S3 server and CF is secured using SSL. So all the data including secret access key is completely secure. Even if you choose not to use SSL, which btw we don't allow directly, your secret access key will remain safe as that is never sent over wire.