This is purely about security, not on crypto. For those of you not in the know, there is an exploitable hole in Adobe's "Flash" right now, and there is no fix available yet:
http://www.adobe.com/support/security/advisories/apsa09-03.html (See also: http://www.us-cert.gov/cas/techalerts/TA09-204A.html ) The responsible thing would be to advise everyone to turn off flash until Adobe comes up with a fixed binary, but of course, if they did, large numbers of companies -- from the obvious Youtube and Hulu to the less obvious business down the street that uses Flash to handle their video catalog -- would be screwed. (Instead, of course, just about everyone out there with a web browser is screwed.) This highlights an unfortunate instance of monoculture -- nearly everyone on the internet uses Flash for nearly all the video they watch, so just about everyone in the world is using a binary module from a single vendor day in, day out. This is a bit of a wakeup call -- the use of standards based technologies to deliver content to users would likely have led to multiple implementations being in wide use, which would at least mitigate such problems. It would also help quite a bit if we had better encapsulation technology. Binary plug-ins for browsers are generally a bad idea -- having things like video players in separate processes where operating system facilities can be used to cage them more effectively would also help to mitigate damage. (By the way, for those that aren't aware, because recent versions of Acrobat Reader include the ability for PDFs to embed Flash, you are better off reading PDFs with third party PDF readers.) Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
