Flasher Archive
[Previous] [Next] - [Index] [Thread Index] - [Previous in Thread] [Next in Thread]
| Subject: | RE: FLASH: ENCRYPTION and Flash 4 |
| From: | Damien Morton |
| Date: | Fri, 7 Jul 2000 22:35:46 +0100 |
I believe that all flash http transactions are handled by the browser, so,
yes SWFs loaded using Load Movie are also cached. A clever trickster would
look at the loading SWF to see what URL it is loading from, or possibly also
use a packet sniffer to monitor client server communications (I dont think
URLs are encrypted when using SSL).
I think the technique mentioned in the thread about online banking holds the
most promise. That technique involvde generating a unique SWF for each
session. SWFs thus generated would have a session code (probably a large
cryptographically random number) embedded into them at the server end before
they are sent to the client. Using this technique combined with using https
means that a trickster would have to put a large amount of effort in to be
able to fake a single session. Chances are, the session would expire before
the trickster as a chance to complete their trickery. Im no security expert,
by I would also suggest that the session code be updated from the server
after every http transaction, and at timed intervals. This would turn the
session code into some kind of crypto sequence number.
Again, there is no 100% sure way to guarantee that the flash applet the
server is communicating with is in fact a flash applet, nor that it is the
flash applet it thinks it is communicating with. This is the case for all
programs, not just flash applets.
> -----Original Message-----
> From: owner
chinwag [dot] com [ownerchinwag [dot] com]On">mailto:ownerchinwag [dot] com]On Behalf Of Helen> Triolo
> Sent: Friday, July 07, 2000 2:46 PM
> To: flasher
chinwag [dot] com> Subject: Re: FLASH: ENCRYPTION and Flash 4
>
>
> Damien Morton wrote:
> >
> > This technique should prevent most users from tricking your servers. It
> > works by hiding from view the data that is sent back and forth. A clever
> > trickster can probably figure out what is being sent back and forth by
> > examining the SWF file itself.
> >
> On the subject of security, can a person (through a browser) get at a
> swf that is loaded via a Load Movie? Is it retrievable through the
> browser cache as the base movie is? If not, it seems that that would be
> the safest place to put code that you didn't want people to be able to
> get to.
flasher is generously supported by...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
flashforward2000 and the Flash(tm) Film Festival
July 24-26, 2000, NEW YORK CITY, Hammerstein Ballroom
www.flashforward2000.com
Produced by United Digital Artists and lynda.com
Sponsored by Macromedia, Adobe Systems, Fusion, Inc, AtomFilms,
shockwave.com and Electric Rain.
1.877.4.FLASH.4 or (1.805.640.6679 outside the US and Canada)
Register before June 30 and save $200!!-- www.flashforward2000.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To unsubscribe or change your list settings go to
http://www.chinwag.com/flasher or email help
chinwag [dot] com
Replies
Re: FLASH: ENCRYPTION and Flash 4, Helen Triolo
[Previous] [Next] - [Index] [Thread Index] - [Next in Thread] [Previous in Thread]
