David Kreps

When using one's own tile server, are the images it serves sent directly to the end user's browser, without stopping (say at a MSFT server) along the way For my application, this is pretty important from a security perspective. Thanks.

Re: Tile Server and Security

Duncan Garratt

From an information security point of view, (InfoSec) Virtual Earth is not a secure system when using tile overlays, or tile substitution. In this respect a Virtual Earth application would fail BS7799, and ISO 27001 auditiing/standards. Therefore it is not a suitable mapping system for displaying restricted, or higher classified information typically held by governments. Having said that Virtual Earth is an excellent system for publishing non-classified information of any kind.

There is a grey area where other legislation such as the UK Data Protection Act would have influence in the application/system design. In this respect normal web security procedures, processes, and penetration testing etc would be seen as good practise.

From a tile security point of view, even if the tiles were being served by your own server they could not be regarded as anyway secure. Without going into the details of Internet, and browser security, Map Point would be a better option, coupled with your own tile overlays running within a Winforms application, where security holes can be plugged.

For more information on information security risk assessment:


Duncan Garratt


Re: Tile Server and Security


Your custom tiles are requested directly from the client in javascript. So for example if those tiles were secured to your network, or by authentication, then you would quite happily have a secured way of functioning. Except that if the information is transmitted across a public network it can be intercepted and read, just like anything on the internet. The usual solution is SSL.

Unfortunatly you cannot run VE under SSL, serving that many images would be a performance nightmare. If your tiles and any data is restricted to your company network this is usually an accepted solution.