Re: FLASH: security problem with Shockwave?...

[John Dowdell]

At 5:19 AM 3/22/99, Michael J. Buchholz \"Buck\" wrote:

> Someone just forwarded this on to me the other day, is there any truth

> to it and, if so, does it effect FLASH?


As John C notes, info's up on the website, and Flash is not involved at all.


If you could correct the alarm that was sent out, then that would be

greatly appreciated! (Rephrased, old info tends to float around and build

on itself... if you could provide the link to your source, then that would

be wonderful, thank you.)


Background: Some websites (including one magazine's site!) put user info

such as passwords into the URL. This is vulnerable to packet-sniffing and

other techniques.

   The Shockwave 7 Player has an option to poll for the most popular

Shockwave sites. If you choose this during install, then Shockwave URL

statistics are passed back as aggregate (unnamed) data when the Player

checks for newer components. This meant that the two people who had access

to this aggregate data could have read any sensitive info put into the URL.

   The current Shockwave 7 Player screens out recording any URLs which have

such user data appended. You can also change your privacy settings at any

time. (Also please note that the discussion brought more wishlist items in

to

privacymacromedia [dot] com

... I believe there will be more options in the

future, too.)

   More info: http://www.macromedia.com/shockwave/productinfo/privacy


(Sidenote: If you frequent sites that store passwords in URLs, then you may

wish to advise their webmasters against the practice, thanks.)


jd




John Dowdell, Macromedia Tech Support, San Francisco CA US

Search technotes: http://www.macromedia.com/support/search/

Offlist email risks capture by the spam filters. I may not see your

email if it's not on the list. Private one-on-one email options are

available via Priority Access: http://www.macromedia.com/support/




------------------------------------------------------------------------

To UNSUBSCRIBE send: unsubscribe flasher in the body of an

email to

list-managershocker [dot] com

.  Problems to:

ownershocker [dot] com

N.B. Email address must be the same as the one you used to subscribe.

For info on digest mode send: info flasher to

list-managershocker [dot] com