Okay, so it is possible to change the date using a sniffer, but being as
the majority of people don't tend to use sniffers, unless the guy is
writing a critical application that flies planes or crashes them if the
date is wrong then I would suggest that the risk assessment here would
be to accept the fact that there are some people there who might use a
sniffer and change the date.
if we all ran around with the attitude that you can't trust anyone, so
what's the point, we would still be in the dark ages.
On 11/03/2011 09:45, Henrik Andersson wrote:
Glen Pike skriver:
Hello,
The parameters that you pass to the SWF in your HTML are different to
communicating with a back-end system.
If you look at URLLoader in actionscript. This enables you to load data
as you would load a web-page.
You would use URLLoader with your server-side code, e.g. PHP to do GET
and POST type requests:
This way, your users cannot "inject" their own date and it is also
possible to have "login" type facilities.
You clearly haven't heard of HTTP request sniffers. With something
like Fiddler <http://www.fiddler2.com/> I can easily override the
reply from any server.
And no, SSL does not help there. I can authorize any certificate
authority I feel like, including my own one.
And for any other checksum/validation I can always just edit the swf
file to skip the check.
In the end it is the same ages old trusted client problem. You just
can't protect code that runs on the client.
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
