You can load the Flex app from an HTTPS site right off the bat, that what you would have to do if that app is processing payments, that only makes sense, so the communication will be encrypted. If you load the Flex app via HTTP, then yes, that is the wrong way to do it, like I said a developer can make a mistake :)
On Mon, Apr 19, 2010 at 7:30 PM, [email protected] < [email protected]> wrote: > > > I agree w/ you on the loading of sensitive data. I believe your wrong w/ > regards to your point on entering sensitive data. A quick check of some of > the large and medium-size e-commerce sites written in html, php, etc. will > redirect you to the https site BEFORE you enter the credit card data. > Perhaps you didn't understand Miti's article: He specifically uses a popup > window to deal w/ the payments system since he believes that flex isn't > secure enough for a user to enter in credit card info. Otherwise, he would > have just used a credit card form w/in flex that gets passed to the Amazon > API on the backend. > > --- In [email protected] <flexcoders%40yahoogroups.com>, Jimmy G > <angelone197...@...> wrote: > > > > Ok, after reading the devnet article that you read, let me explain. > > > > ENTERING SENSITIVE DATA > > > > When you enter a card number in a HTML web site, the user will enter the > > clear text credit number and then hit the submit button. The data will > then > > be encrypted and send to your secure server (via HTTPS). > > > > When you enter a card number in a Flex app, the user will enter the clear > > text credit number and then hit the submit button. The data will then be > > sent to the server in a binary format and encrypted. > > > > So basically same as situation with both technologies. And yes we do this > at > > my company :) > > > > LOADING SENSITIVE DATA > > > > The loading is where you have to be careful. Say in a Flex app you load > the > > user's full payment information to display it. DON'T return the full card > > number to your Flex app! Even thought you might just display the last > four > > digits of the card number, the full card is in memory somewhere. So a > > potential evil user could use a memory sniffer to find and extract the > full > > card number. But then again you can make this same mistake with > traditional > > HTML/JS web site by loading full card details using an AJAX call and > holding > > the full card number in memory, bad! > > > > So basically is Flex less secure? No. Can a developer code it up to make > it > > less secure? Yes. > > > > Let me know if you have anymore questions. > > > > On Sun, Apr 18, 2010 at 9:19 PM, garykim...@... < > > garykim...@...> wrote: > > > > > > > > > > > the link has everything to do with my question. He gives an example of > a > > > shopping cart/payment system setup in Flex. This raises my question of > > > whether or not flash is secure enough to operate his phone store in > real > > > life. > > > > > > More specifically, user enters information into flash app, which then > sends > > > it somewhere to get processed (presumably some HTTPS address). The > period of > > > time where flash is transfering info to the HTTPS address is not > secure, as > > > described here: > > > http://www.adobe.com/devnet/flex/articles/flex_amazon_02.html > > > > > > Specifically, Miti (a Flex Evangelist, so we should take his word for > it, > > > right?) says: > > > > > > "hardcoding sensitive information into a Flex application is a highly > > > insecure practice". > > > > > > So, is it possible that Pandora's (100% Flex) payments system is > secure? > > > > > > > > > --- In [email protected] > > > <flexcoders%40yahoogroups.com><flexcoders% > 40yahoogroups.com>, Jimmy G > > > > <angelone197555@> wrote: > > > > > > > > What gave you the impression that UI built in Flex less secure than > one > > > > built in HTML? In both cases the end-user can input sensitive data > like > > > > credit card information and then it is up to you to setup proper > > > security. > > > > Like making sure that the client to server communication is done > using > > > SSL > > > > (meaning HTTPS). If you dont do this in either case, then anyone can > > > capture > > > > the data that is being transmitted. > > > > > > > > You need to provide more information so we can help you. > > > > > > > > Also the link you provide below doesn't have anything to do with you > > > > question. > > > > > > > > Jimmy > > > > > > > > On Sun, Apr 18, 2010 at 12:01 PM, garykimble@ < > > > > garykimble@> wrote: > > > > > > > > > > > > > > > > > > > I was under the impression that flex is not a secure UI and that > credit > > > > > card information and other sensitive information should not be > passed > > > > > through flash/flex. > > > > > > > > > > When I upgraded my account with Pandora, I noticed the payments > system > > > > > interface was flash. Also, there is the flex store that Conraets > talks > > > about > > > > > at > > > > > > > > > http://coenraets.org/blog/2010/02/flexstore-revisited-building-an-animated-spark-layout/ > > > > > > > > > > So, are these methods not secure, then? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Jimmy G > > > > Development Team Lead > > > > > > > > > > > > > > > > > > > > > -- > > Jimmy G > > Development Team Lead > > > > > -- Jimmy G Development Team Lead
