Marcelo, Ahh... ok. Cool! If I may ask another question that I neglected to post and that is what kind of back end technology are you using? Java, PHP, ASP.NET?
Cheers, Sam On Nov 6, 2007, at 3:54 PM, Marcelo de Moraes Serpa wrote: > Hello Samuel, > >> If I may chime in this discussion.. what are you trying to protect? >> The >> actual swf or access to services exposed in the swf? > > Yes, it wans't clear. Actually I'm not really trying to protect the > SWF but instead restrict the ways it can be served. Mine is an > application somewhat like youtube but more restricted, so, I wouldn't > want anyone to get the URL and play the videos anywhere (outside of > the allowed domain). > > On Nov 6, 2007 4:41 PM, Samuel Agesilas <[EMAIL PROTECTED]> wrote: >> Marcelo, >> >> If I may chime in this discussion.. what are you trying to protect? >> The >> actual swf or access to services exposed in the swf? >> >> cheers, >> Sam >> >> >> >> On Nov 4, 2007, at 6:42 PM, Jonathan Valliere wrote: >> >> Marcelo, >> >> As far as referrer checking, your going to need to search google or >> get in >> touch with a Red5 developer ( put it on the Red5 mailing list ). >> >> Encryption: You can load in SWF binary via ByteArray and >> encryption can be >> done with ByteArray data ( that can be loaded via .. Loader ?? ). >> Essentially you encrypt your SWF binary ( and store it encrypted on >> the >> server ) and load it in over HTTPs and decrypt it based on a public/ >> private >> key based on a secondary encryption mechanism located inside the >> first one >> and load into a SWFLoader at runtime. Run the entire application >> over HTTPs >> with cache off and it should be pretty dam secure. >> >> http://en.wikipedia.org/wiki/Public-key_cryptography >> >> http://en.wikipedia.org/wiki/Encryption >> >> http://en.wikipedia.org/wiki/Topics_in_cryptography >> >> I bet there are a lot of good books on Cryptography. >> >> -Jon >> >> >> On Nov 4, 2007, at 7:24 PM, Marcelo de Moraes Serpa wrote: >> Hello Jonathan, >> >>> You could protect swfs over RTMP via Red5 to make sure of a correct >> referrer. >> >> >>> You could also load in an encrypted SWF that contains a secondary >> encrypted Binary file that self-decrypts ( and runs ) and is >> responsible for >> referrer / self-authentication over HTTPS / RTMP. >> >> >> Any examples or maybe pointers to articles that elaborate on these >> techniques? >> >> Thanks, >> >> Marcelo. >> >> >> >> On 11/4/07, Jonathan Valliere <[EMAIL PROTECTED]> wrote: >>> >>> yeah but you can't protect against everything. you can encrypt >>> your swfs, >> decrypt them clientside but that could also ultimately be faked >> given enough >> time and data capture. >>> >>> >>> You could protect swfs over RTMP via Red5 to make sure of a correct >> referrer. You could also load in an encrypted SWF that contains a >> secondary >> encrypted Binary file that self-decrypts ( and runs ) and is >> responsible for >> referrer / self-authentication over HTTPS / RTMP. >>> >>> >>> >>> >>> >>> >>> >>> On Nov 4, 2007, at 12:23 PM, Marcelo de Moraes Serpa wrote: >>> >>> >>>> Red the URL from the browser and see if the domain is valid. I >>>> forget >> how to get it normally but in Flex you get it this way >>>> >>> >>> Yes, but one could possibly decompile the SWF and remove this code >>> (since >> it is client side). >>> >>> >>> On 11/4/07, Jonathan Valliere <[EMAIL PROTECTED] > wrote: >>>> >>>> Red the URL from the browser and see if the domain is valid. I >>>> forget >> how to get it normally but in Flex you get it this way >>>> >>>> >>>> Application( Application.application ).url >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Nov 3, 2007, at 11:40 AM, Jean-Philippe DELAVALLADE wrote: >>>> >>>> It's perhaps a solution >>>> but i prefer using a referer like in Flash Media Server >>>> I don't find it in RED5 >>>> >>>> >>>> >>>> Le 3 nov. 07 à 16:23, Marcelo de Moraes Serpa a écrit : >>>> >>>> Hmm.. yep, haven't though about the domain restrictions of the >>>> player, >> it might work! >>>> >>>> @Paul: Afaik, it works like this: When the player downloads a SWF >>>> from a >> domain, it looks for a crossdomain.xml file that in turns contains >> rules on >> which other domains are allowed to play your SWF files you are >> serving >> through your domain. Please someone correct-me if I'm wrong. >>>> >>>> Cheers, >>>> >>>> Marcelo. >>>> >>>> >>>> On 11/3/07, Jean-Philippe DELAVALLADE < [EMAIL PROTECTED]> wrote: >>>>> >>>>> Thanks Paul :) >>>>> Add a cross-domain policy, which prevents unauthorized domains >>>>> from >> accessing your assets. >>>>> but how ?? >>>>> >>>>> >>>>> >>>>> >>>>> Le 3 nov. 07 à 14:42, paul|LOWRES a écrit : >>>>> >>>>> >>>>> >>>>> maybe a cross-domain policy is, what you are looing for? >>>>> >>>>> >>>>> >>>>> >> http://livedocs.adobe.com/flash/9.0/UsingFlash/help.html?content=WSd60f23110762d6b883b18f10cb1fe1af6-7b35.html >>>>> >>>>> >>>>> cheers, >>>>> paul >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Am 03.11.2007 um 14:01 schrieb Marcelo de Moraes Serpa: >>>>> >>>>> Hello Jean, >>>>> >>>>> I'm also searching for a way to restrict my flash application in a >> domain. Actually I thought in serving the SWF through a script >> instead of >> letting the webserver serve it so that I could do this referrer check >> server-side (Using Ruby/Rails or PHP for example). Code to check the >> referrer in the SWF could work but someone could decompile your SWF >> and >> remove this check. >>>>> >>>>> If someone got some ideas regarding that, please share! >>>>> >>>>> Marcelo. >>>>> >>>>> >>>>> On 10/26/07, Jean-Philippe DELAVALLADE < [EMAIL PROTECTED]> >>>>> wrote: >>>>>> >>>>>> >>>>>> Hello, >>>>>> >>>>>> >>>>>> I would like to protect my application, do a referrer in fact >>>>>> I've tried this code but the server never run with that : >>>>>> >>>>>> >>>>>> public boolean appConnect(IConnection conn, Object[] params) { >>>>>> String pageUrl = >>>>>> (String)conn.getConnectParams().get( "pageUrl" >> ); >>>>>> log.debug( "L'URL de la pages est : " +pageUrl); >>>>>> if(pageUrl != "http://mydomain";){ >>>>>> return false; >>>>>> } >>>>>> Can you show me the way, in order to my appli just run under my >> domain ? >>>>>> >>>>>> >>>>>> Thanks guys >>>>>> >>>>>> >>>>>> JP >>>>>> _______________________________________________ >>>>>> osflash mailing list >>>>>> [email protected] >>>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> osflash mailing list >>>>> [email protected] >>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org >>>>> >>>>> _______________________________________________ >>>>> osflash mailing list >>>>> [email protected] >>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org >>>>> >>>>> >>>>> _______________________________________________ >>>>> osflash mailing list >>>>> [email protected] >>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> osflash mailing list >>>> [email protected] >>>> http://osflash.org/mailman/listinfo/osflash_osflash.org >>>> >>>> >>>> _______________________________________________ >>>> osflash mailing list >>>> [email protected] >>>> http://osflash.org/mailman/listinfo/osflash_osflash.org >>>> >>>> _______________________________________________ >>>> osflash mailing list >>>> [email protected] >>>> http://osflash.org/mailman/listinfo/osflash_osflash.org >>>> >>>> >>> >>> >>> _______________________________________________ >>> osflash mailing list >>> [email protected] >>> http://osflash.org/mailman/listinfo/osflash_osflash.org >>> >>> _______________________________________________ >>> osflash mailing list >>> [email protected] >>> http://osflash.org/mailman/listinfo/osflash_osflash.org >>> >>> >> >> _______________________________________________ >> osflash mailing list >> [email protected] >> http://osflash.org/mailman/listinfo/osflash_osflash.org >> _______________________________________________ >> osflash mailing list >> [email protected] >> http://osflash.org/mailman/listinfo/osflash_osflash.org >> >> >> _______________________________________________ >> osflash mailing list >> [email protected] >> http://osflash.org/mailman/listinfo/osflash_osflash.org >> >> > > _______________________________________________ > osflash mailing list > [email protected] > http://osflash.org/mailman/listinfo/osflash_osflash.org _______________________________________________ osflash mailing list [email protected] http://osflash.org/mailman/listinfo/osflash_osflash.org
