I agree w/ you on the loading of sensitive data. I believe your wrong w/ regards to your point on entering sensitive data. A quick check of some of the large and medium-size e-commerce sites written in html, php, etc. will redirect you to the https site BEFORE you enter the credit card data. Perhaps you didn't understand Miti's article: He specifically uses a popup window to deal w/ the payments system since he believes that flex isn't secure enough for a user to enter in credit card info. Otherwise, he would have just used a credit card form w/in flex that gets passed to the Amazon API on the backend.
--- In [email protected], Jimmy G <angelone197...@...> wrote: > > Ok, after reading the devnet article that you read, let me explain. > > ENTERING SENSITIVE DATA > > When you enter a card number in a HTML web site, the user will enter the > clear text credit number and then hit the submit button. The data will then > be encrypted and send to your secure server (via HTTPS). > > When you enter a card number in a Flex app, the user will enter the clear > text credit number and then hit the submit button. The data will then be > sent to the server in a binary format and encrypted. > > So basically same as situation with both technologies. And yes we do this at > my company :) > > LOADING SENSITIVE DATA > > The loading is where you have to be careful. Say in a Flex app you load the > user's full payment information to display it. DON'T return the full card > number to your Flex app! Even thought you might just display the last four > digits of the card number, the full card is in memory somewhere. So a > potential evil user could use a memory sniffer to find and extract the full > card number. But then again you can make this same mistake with traditional > HTML/JS web site by loading full card details using an AJAX call and holding > the full card number in memory, bad! > > So basically is Flex less secure? No. Can a developer code it up to make it > less secure? Yes. > > Let me know if you have anymore questions. > > On Sun, Apr 18, 2010 at 9:19 PM, garykim...@... < > garykim...@...> wrote: > > > > > > > the link has everything to do with my question. He gives an example of a > > shopping cart/payment system setup in Flex. This raises my question of > > whether or not flash is secure enough to operate his phone store in real > > life. > > > > More specifically, user enters information into flash app, which then sends > > it somewhere to get processed (presumably some HTTPS address). The period of > > time where flash is transfering info to the HTTPS address is not secure, as > > described here: > > http://www.adobe.com/devnet/flex/articles/flex_amazon_02.html > > > > Specifically, Miti (a Flex Evangelist, so we should take his word for it, > > right?) says: > > > > "hardcoding sensitive information into a Flex application is a highly > > insecure practice". > > > > So, is it possible that Pandora's (100% Flex) payments system is secure? > > > > > > --- In [email protected] <flexcoders%40yahoogroups.com>, Jimmy G > > <angelone197555@> wrote: > > > > > > What gave you the impression that UI built in Flex less secure than one > > > built in HTML? In both cases the end-user can input sensitive data like > > > credit card information and then it is up to you to setup proper > > security. > > > Like making sure that the client to server communication is done using > > SSL > > > (meaning HTTPS). If you dont do this in either case, then anyone can > > capture > > > the data that is being transmitted. > > > > > > You need to provide more information so we can help you. > > > > > > Also the link you provide below doesn't have anything to do with you > > > question. > > > > > > Jimmy > > > > > > On Sun, Apr 18, 2010 at 12:01 PM, garykimble@ < > > > garykimble@> wrote: > > > > > > > > > > > > > > > I was under the impression that flex is not a secure UI and that credit > > > > card information and other sensitive information should not be passed > > > > through flash/flex. > > > > > > > > When I upgraded my account with Pandora, I noticed the payments system > > > > interface was flash. Also, there is the flex store that Conraets talks > > about > > > > at > > > > > > http://coenraets.org/blog/2010/02/flexstore-revisited-building-an-animated-spark-layout/ > > > > > > > > So, are these methods not secure, then? > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Jimmy G > > > Development Team Lead > > > > > > > > > > > > > -- > Jimmy G > Development Team Lead >
