My interpretation of the article, and the recommendation of the Adobe security experts is that you should go to HTTPS before collecting sensitive data from the user not for technical security reasons, but for user security reasons. Collecting the data in Flash and sending to the payment server via HTTPS it totally secure, but the user still sees HTTP in the browser address bar if your SWF and wrapper were served over HTTP and none of the other security hints like the lock symbol or custom icons will be available, so many folks like me will chicken out of entering such data.
On 4/19/10 4:30 PM, "[email protected]" <[email protected]> wrote: I agree w/ you on the loading of sensitive data. I believe your wrong w/ regards to your point on entering sensitive data. A quick check of some of the large and medium-size e-commerce sites written in html, php, etc. will redirect you to the https site BEFORE you enter the credit card data. Perhaps you didn't understand Miti's article: He specifically uses a popup window to deal w/ the payments system since he believes that flex isn't secure enough for a user to enter in credit card info. Otherwise, he would have just used a credit card form w/in flex that gets passed to the Amazon API on the backend. --- In [email protected] <mailto:flexcoders%40yahoogroups.com> , Jimmy G <angelone197...@...> wrote: > > Ok, after reading the devnet article that you read, let me explain. > > ENTERING SENSITIVE DATA > > When you enter a card number in a HTML web site, the user will enter the > clear text credit number and then hit the submit button. The data will then > be encrypted and send to your secure server (via HTTPS). > > When you enter a card number in a Flex app, the user will enter the clear > text credit number and then hit the submit button. The data will then be > sent to the server in a binary format and encrypted. > > So basically same as situation with both technologies. And yes we do this at > my company :) > > LOADING SENSITIVE DATA > > The loading is where you have to be careful. Say in a Flex app you load the > user's full payment information to display it. DON'T return the full card > number to your Flex app! Even thought you might just display the last four > digits of the card number, the full card is in memory somewhere. So a > potential evil user could use a memory sniffer to find and extract the full > card number. But then again you can make this same mistake with traditional > HTML/JS web site by loading full card details using an AJAX call and holding > the full card number in memory, bad! > > So basically is Flex less secure? No. Can a developer code it up to make it > less secure? Yes. > > Let me know if you have anymore questions. > > On Sun, Apr 18, 2010 at 9:19 PM, garykim...@... < > garykim...@...> wrote: > > > > > > > the link has everything to do with my question. He gives an example of a > > shopping cart/payment system setup in Flex. This raises my question of > > whether or not flash is secure enough to operate his phone store in real > > life. > > > > More specifically, user enters information into flash app, which then sends > > it somewhere to get processed (presumably some HTTPS address). The period of > > time where flash is transfering info to the HTTPS address is not secure, as > > described here: > > http://www.adobe.com/devnet/flex/articles/flex_amazon_02.html > > > > Specifically, Miti (a Flex Evangelist, so we should take his word for it, > > right?) says: > > > > "hardcoding sensitive information into a Flex application is a highly > > insecure practice". > > > > So, is it possible that Pandora's (100% Flex) payments system is secure? > > > > > > --- In [email protected] <mailto:flexcoders%40yahoogroups.com> > > <flexcoders%40yahoogroups.com>, Jimmy G > > <angelone197555@> wrote: > > > > > > What gave you the impression that UI built in Flex less secure than one > > > built in HTML? In both cases the end-user can input sensitive data like > > > credit card information and then it is up to you to setup proper > > security. > > > Like making sure that the client to server communication is done using > > SSL > > > (meaning HTTPS). If you dont do this in either case, then anyone can > > capture > > > the data that is being transmitted. > > > > > > You need to provide more information so we can help you. > > > > > > Also the link you provide below doesn't have anything to do with you > > > question. > > > > > > Jimmy > > > > > > On Sun, Apr 18, 2010 at 12:01 PM, garykimble@ < > > > garykimble@> wrote: > > > > > > > > > > > > > > > I was under the impression that flex is not a secure UI and that credit > > > > card information and other sensitive information should not be passed > > > > through flash/flex. > > > > > > > > When I upgraded my account with Pandora, I noticed the payments system > > > > interface was flash. Also, there is the flex store that Conraets talks > > about > > > > at > > > > > > http://coenraets.org/blog/2010/02/flexstore-revisited-building-an-animated-spark-layout/ > > > > > > > > So, are these methods not secure, then? > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Jimmy G > > > Development Team Lead > > > > > > > > > > > > > -- > Jimmy G > Development Team Lead > -- Alex Harui Flex SDK Team Adobe System, Inc. http://blogs.adobe.com/aharui
