On Thu, Feb 18, 2010 at 8:20 AM, Vivec <[email protected]> wrote: > > As a developer advising a client, can you advise them to use Flash as > a frontend for any application that requires a username or password? > > For starters, as an end user, I disapprove of flash front-end for Usernames and Passwords.
The browser or 3rd party password generator/manager cannot store these ID's for future use. It's a pain to remember a 12 char password. > Over 80% of exploits in 2009 were through Flash and PDF vectors. > Well I highly doubt that... Microsoft itself patch 190 exploits in 2009. Anything that are as widely distributed as Windows / Flash / PDF are going to be targets. > I was looking at AIR to be a solid base for portable applications, but > now it seems that those applications could not hold any important > personal information for it to be feasible. > Well, got me here on how you plan to use the AIR app. Storage is either local sql lite DB or external DB through maybe a remote cfc method that logs a person in to the app. SSL connect to your cfc should be secure enough, storing anything local isn't. > There is also little explanation of these exploits. > > Is it that the website needs to have written Flash code that abuses > exploits on the Client machine, requiring the client to load one of > these Flash movies? In that case the website developers themselves > would be the ones trying to gain remote access to the client machine. > Not sure how far you can get with Flash, but Air / Flex have access to the local file System. It's still been something I haven't liked the idea of, since I saw Ben Forta present Air at cfExpress a few years back. I still don't understand that one... Like with music player air apps. what keeps the developer from grabbing that mp3 during playback, and sending it off to their web server? > Or is it that Flash itself contains exploits which can be attacked > externally? > i.e. the .swf file itself can be manipulated through URLs or other > means to allow code execution on the client machine? > A Flash application can monitor only keyboard and mouse events that occur within its focus. A Flash application cannot detect keyboard or mouse events in another application. But we've all have seen those advertisements that expand out from the normal ad area, I would think that means the flash app there is in focus. > If not Flash, then what other visual environment is there for writing > applications that is portable? > Got me there... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-community/message.cfm/messageid:312205 Subscription: http://www.houseoffusion.com/groups/cf-community/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.5
