Hi Glen,
If you really want to keep people from seeing some data until a certain
date (depending on how sensitive it is), you should probably keep a pair
of swfs instead of just serving up the one.
You'd serve the pre-date swf before the event, then on the day of the
event, you'd switch to serving the swf with the new data. That way no
amount of snooping will allow a curious user to grab your restricted
data, since you won't have served it up.
Really, keeping the data off the user's machine is the only way to
prevent them from accessing it.
That said, some reasonable amount of obfuscation (funky named variables,
encoded date info, etc.) could be used to at least make it less likely
for novice snoopers to grab your restricted data. I'd only recommend
that if the information is not terribly sensitive though.
Kevin N.
On 3/11/2011 4:53 AM, Glen Pike wrote:
Okay, so it is possible to change the date using a sniffer, but being
as the majority of people don't tend to use sniffers, unless the guy
is writing a critical application that flies planes or crashes them if
the date is wrong then I would suggest that the risk assessment here
would be to accept the fact that there are some people there who might
use a sniffer and change the date.
if we all ran around with the attitude that you can't trust anyone, so
what's the point, we would still be in the dark ages.
On 11/03/2011 09:45, Henrik Andersson wrote:
Glen Pike skriver:
Hello,
The parameters that you pass to the SWF in your HTML are different to
communicating with a back-end system.
If you look at URLLoader in actionscript. This enables you to load data
as you would load a web-page.
You would use URLLoader with your server-side code, e.g. PHP to do GET
and POST type requests:
This way, your users cannot "inject" their own date and it is also
possible to have "login" type facilities.
You clearly haven't heard of HTTP request sniffers. With something
like Fiddler <http://www.fiddler2.com/> I can easily override the
reply from any server.
And no, SSL does not help there. I can authorize any certificate
authority I feel like, including my own one.
And for any other checksum/validation I can always just edit the swf
file to skip the check.
In the end it is the same ages old trusted client problem. You just
can't protect code that runs on the client.
_______________________________________________
Flashcoders mailing list
[email protected]
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
_______________________________________________
Flashcoders mailing list
[email protected]
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
_______________________________________________
Flashcoders mailing list
[email protected]
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
