RE: [flexcoders] Re: Flex 2: about potential HTTPService timeout/security issues ...
I believe it boils down to actual experience and not any hypothetical reasoning, even though my reasoning appears to be correct (as far as I can tell)If actual experience has shown that the way Flash is doing it is indeed better and leads to higher market penetration for Flash compared to ActiveX then we may throw the counter argument (not matter how valid it may seem) in favor of the successful track record of the current approach, not that an outsider's argument could change anything so basic.I guess experience always trumps logic ...(self inculcation in progress)dos dedos [EMAIL PROTECTED] wrote:That is the reverse of the common philosophy on this issue. Usually, the end user is "trusted" with the decision because the assumption is that end user is A) not stupid and B) not evil.Defending all servers out there against the threat of an attack by all Flash clients (irrespective of their intent) means that all Flash clients are presumed guilty unless the server owner decides that they're not, but it is the end user who is able to judge whether a given Flash client is to be trusted or not. The server owner has no way of knowing because they're not the ones downloading the Flash content, the users are.So if the server owner (e.g. Amazon.com) decides to allow Flash clients to use its API but then they get hacked from a Flash client then they are to blame. And the chance that they would get hacked by a malicious Flash client is higher than the case where the end users get to judge whether a given Flash client can be trusted to exceute or not.Not trying to be a pain in the butt with my counter argument but I'm trying to probe the status quo to make sure that it makes sense.:)dosRoger Gonzalez [EMAIL PROTECTED] wrote: If I have a server that I want to protect, I don't care whether your SWF is signed, and I don't care whether you granted it permission, I don't want you connecting to me. It doesn't matter what YOU want to approve, it matters what the SERVER wants to approve. -rg From: flexcoders@yahoogroups.com[mailto:[EMAIL PROTECTED] On Behalf Of dosdedosSent: Monday, March 27, 2006 8:27 PMTo:flexcoders@yahoogroups.comSubject: RE: [flexcoders] Re: Flex 2: about "potential" HTTPService timeout/security issues ... In your example the SWF should not be allowed to connect toany server other than the server it was served from! That's bydefault.That is unless it is a SIGNED SWF where the end user may allowor deny it's request to execute with full permissions.If it works forJava and ActiveX it would work equally well for Flash ... I'minterested in understanding why the way it's done in Flash may be better...dosRoger Gonzalez [EMAIL PROTECTED]wrote: You have the purpose backwards. (There's an entirely different mechanism for what trust you want to grant to a particular SWF.) The point is fora server owner to prevent you from distributing a SWF that canact as a distributeddenial-of-service attack on a server. Consider the case of some web forum that lets you upload a SWF as an image. Every person who visits the page runs that SWF. It wou! ld thus be bad if the SWF was allowed to connect to some site that the SWF author wanted to crash. Dig it? -rg From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of dos dedosSent: Monday, March 27, 2006 7:58 PMTo: flexcoders@yahoogroups.comSubject: RE: [flexcoders] Re: Flex 2: about "potential" HTTPService timeout/security issues ...(I'm still in complaining mode)ActiveX and Javaused applet signing to solve this ...Wouldn't it be better to"respect" the end user's right to choose whether or not to trust a givenFlash app to do what it's suppose to do rather than to force the user toinstall crossdomain on their machine ! or force teh sys admin (in case of LAN) to install cross domain inside the LAN? How about somesecurity through democracy?How many times does the average personclick OK on a signed applet or ActiveX permission screen and end upregreting it?dosTed Patrick[EMAIL PROTECTED] wrote:1. Delegate security to the server side on a domain/subdomain basis.2. Enable high and low ports access. 3. Prevent Flash Player from being used as "denial of service" toolset.<BR!> Crossdomain.xml has really improved things, it was a great addition to the player at the release of Flash Player 7. I complained about it but eventually I saw the light.Cheers,Cynergy Systems, Inc.Theodore PatrickSr. Consultant[EMAIL PROTECTED]tel: 1.866.CYNERGYhttp://www.cynergysystems.comFrom: flexcoders@yahoogroups
Re: [flexcoders] Re: Flex 2: about potential HTTPService timeout/security issues ...
Thanks for this clarifiaction on the timeout. I think I'll have to implement timeout to end the HTTPService request if there is no data being exchanged for xx number of seconds.With respect to the potential security issue, I'd like to POST XML via HTTPService to a .cgi server running on a machine other than the one the Flex app is served from. Do I need to have a crossdomain.xml at either side? or am I free to interact with any server via HTTService? Thanks!dosDave Wolf [EMAIL PROTECTED] wrote:The player is simply piggy backing on the HTTP stack of the browser. I think you will find in most cases the browser will detect the half dead socket when data is moving on the socket and generate an error HTTP status back. Things get a little harrier when you have an idle yet persistent connection. This gets even more tricky if you are running a cluster of servers to support high availability, etc. In any case, for what you are describing, I think you wont have to work on doing this yourself. It should be very easy to test. -- Dave Wolf Cynergy Systems, Inc. Macromedia Flex Alliance Partner http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY --- In flexcoders@yahoogroups.com, dos dedos [EMAIL PROTECTED] wrote: Relating to the potential timeout issue, I think most likely HTTPService doesn't timeout on its ownHowever, my Java application could crash and reboot so I would have to make sure HTTPService would time out if it's loses connection with the server... No idea how to do that yet ...Any clarifications would be greatly helpful!Thanksdos- New Yahoo! Messenger with Voice. Call regular phones from your PC and save big. Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com SPONSORED LINKS Web site design development Computer software development Software design and development Macromedia flex Software development best practice YAHOO! GROUPS LINKS Visit your group "flexcoders" on the web. To unsubscribe from this group, send an email to:[EMAIL PROTECTED] Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
RE: [flexcoders] Re: Flex 2: about potential HTTPService timeout/security issues ...
You will need a crossdomain file. Carson Carson Hager Cynergy Systems, Inc. http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY Mobile: 1.703.489.6466 From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of dos dedosSent: Monday, March 27, 2006 2:26 PMTo: flexcoders@yahoogroups.comSubject: Re: [flexcoders] Re: Flex 2: about "potential" HTTPService timeout/security issues ... Thanks for this clarifiaction on the timeout. I think I'll have to implement timeout to end the HTTPService request if there is no data being exchanged for xx number of seconds.With respect to the potential security issue, I'd like to POST XML via HTTPService to a .cgi server running on a machine other than the one the Flex app is served from. Do I need to have a crossdomain.xml at either side? or am I free to interact with any server via HTTService? Thanks!dosDave Wolf [EMAIL PROTECTED] wrote: The player is simply piggy backing on the HTTP stack of the browser. I think you will find in most cases the browser will detect the halfdead socket when data is moving on the socket and generate an errorHTTP status back. Things get a little harrier when you have an idleyet persistent connection. This gets even more tricky if you are running a cluster of servers tosupport high availability, etc.In any case, for what you are describing, I think you wont have towork on doing this yourself. It should be very easy to test.-- Dave WolfCynergy Systems, Inc.Macromedia Flex Alliance Partnerhttp://www.cynergysystems.comEmail: [EMAIL PROTECTED]Office: 866-CYNERGY--- In flexcoders@yahoogroups.com, dos dedos [EMAIL PROTECTED] wrote: Relating to the potential timeout issue, I think most likelyHTTPService doesn't timeout on its own However, my Java application could crash and reboot so I would haveto make sure HTTPService would time out if it's loses connection withthe server... No idea how to do that yet ... Any clarifications would be greatly helpful! Thanks dos - New Yahoo! Messenger with Voice. Call regular phones from your PCand save big. Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com YAHOO! GROUPS LINKS Visit your group "flexcoders" on the web. To unsubscribe from this group, send an email to:[EMAIL PROTECTED] Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
RE: [flexcoders] Re: Flex 2: about potential HTTPService timeout/security issues ...
thanks! bwt, does anyone know what is the security scenario that promoted the introduction of the crossdomain requirement? it would be educating to know Carson Hager [EMAIL PROTECTED] wrote: You will need a crossdomain file. Carson Carson Hager Cynergy Systems, Inc. http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY Mobile: 1.703.489.6466 From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of dos dedosSent: Monday, March 27, 2006 2:26 PMTo: flexcoders@yahoogroups.comSubject: Re: [flexcoders] Re: Flex 2: about "potential" HTTPService timeout/security issues ... Thanks for this clarifiaction on the timeout. I think I'll have to implement timeout to end the HTTPService request if there is no data being exchanged for xx number of seconds.With respect to the potential security issue, I'd like to POST XML via HTTPService to a .cgi server running on a machine other than the one the Flex app is served from. Do I need to have a crossdomain.xml at either side? or am I free to interact with any server via HTTService? Thanks!dosDave Wolf [EMAIL PROTECTED] wrote: Theplayer is simply piggy backing on the HTTP stack of the browser. I thinkyou will find in most cases the browser will detect the halfdead socketwhen data is moving on the socket and generate an errorHTTP statusback. Things get a little harrier when you have an idleyetpersistent connection. This gets even more tricky if you arerunning a cluster of servers tosupport high availability, etc.Inany case, for what you are describing, I think you wont have toworkon doing this yourself. It should be very easy to test.--Dave WolfCynergy Systems, Inc.Macromedia Flex AlliancePartnerhttp://www.cynergysystems.comEmail:[EMAIL PROTECTED]Office: 866-CYNERGY--- Inflexcoders@yahoogroups.com, dos dedos [EMAIL PROTECTED]wrote: Relating to the potential timeout issue, Ithink most likelyHTTPService doesn't timeout on its own However, my Java application could crash and reboot so I wouldhaveto make sure HTTPService would time out if it's loses connectionwiththe server... No idea how to do that yet ... Anyclarifications would be greatly helpful! Thanks dos - New Yahoo! Messenger with Voice.Call regular phones from your PCand save big. Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2�/min or less. Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1/min. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com YAHOO! GROUPS LINKS Visit your group "flexcoders" on the web. To unsubscribe from this group, send an email to:[EMAIL PROTECTED] Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
RE: [flexcoders] Re: Flex 2: about potential HTTPService timeout/security issues ...
1. Delegate security to the server side on a domain/subdomain basis. 2. Enable high and low ports access. 3. Prevent Flash Player from being used as denial of service toolset. Crossdomain.xml has really improved things, it was a great addition to the player at the release of Flash Player 7. I complained about it but eventually I saw the light. Cheers, Cynergy Systems, Inc. Theodore Patrick Sr. Consultant [EMAIL PROTECTED] tel: 1.866.CYNERGY http://www.cynergysystems.com From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of dos dedos Sent: Monday, March 27, 2006 6:14 PM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] Re: Flex 2: about potential HTTPService timeout/security issues ... thanks! bwt, does anyone know what is the security scenario that promoted the introduction of the crossdomain requirement? it would be educating to know Carson Hager [EMAIL PROTECTED] wrote: You will need a crossdomain file. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.3.2/293 - Release Date: 3/26/2006 -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
Re: [flexcoders] Re: Flex 2: about potential HTTPService timeout/security issues ...
Well, I understand the general risk scenario now, but Java solved this problem with the concept of signed applets! why doesn't Flash support signing of applets?If you click OK to accept the certificate then you're allowing it to do whatever it wants. I believe ActievX also works this way ...Doug Lowder [EMAIL PROTECTED] wrote:There are some really good responses to This Postthat explain the reasons behind crossdomain.xml. --- In flexcoders@yahoogroups.com, dos dedos [EMAIL PROTECTED] wrote: thanks! bwt, does anyone know what is the security scenario that promoted the introduction of the crossdomain requirement? it would be educating to know Carson Hager [EMAIL PROTECTED] wrote: You will need a crossdomain file. Carson Carson Hager Cynergy Systems, Inc. http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY Mobile: 1.703.489.6466 - From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of dos dedos Sent: Monday, March 27, 2006 2:26 PM To: flexcoders@yahoogroups.com Subject: Re: [flexcoders] Re: Flex 2: about "potential" HTTPService timeout/security issues ...Thanks for this clarifiaction on the timeout. I think I'll have to implement timeout to end the HTTPService request if there is no data being exchanged for xx number of seconds. With respect to the potential security issue, I'd like to POST XML via HTTPService to a .cgi server running on a machine other than the one the Flex app is served from. Do I need to have a crossdomain.xml at either side? or am I free to interact with any server via HTTService? Thanks! dos Dave Wolf [EMAIL PROTECTED] wrote: The player is simply piggy backing on the HTTP stack of the browser. I think you will find in most cases the browser will detect the half dead socket when data is moving on the socket and generate an error HTTP status back. Things get a little harrier when you have an idle yet persistent connection. This gets even more tricky if you are running a cluster of servers to support high availability, etc. In any case, for what you are describing, I think you wont have to work on doing this yourself. It should be very easy to test. -- Dave Wolf Cynergy Systems, Inc. Macromedia Flex Alliance Partner http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY --- In flexcoders@yahoogroups.com, dos dedos dosdedosmiamigos@ wrote: Relating to the potential timeout issue, I think most likely HTTPService doesn't timeout on its ownHowever, my Java application could crash and reboot so I would have to make sure HTTPService would time out if it's loses connection with the server... No idea how to do that yet ...Any clarifications would be greatly helpful!Thanksdos - New Yahoo! Messenger with Voice. Call regular phones from your PC and save big. - Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2�/min or less. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com - YAHOO! GROUPS LINKSVisit your group "flexcoders" on the web. To unsubscribe from this group, send an email to: [EMAIL PROTECTED] Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.- - Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1cent;/min. Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1/min. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com YAHOO! GROUPS LINKS Visit your group "flexcoders" on the web. To unsubscribe from this group, send an email to:[EMAIL PROTECTED] Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
RE: [flexcoders] Re: Flex 2: about potential HTTPService timeout/security issues ...
(I'm still in complaining mode)ActiveX and Java used applet signing to solve this ...Wouldn't it be better to "respect" the end user's right to choose whether or not to trust a given Flash app to do what it's suppose to do rather than to force the user to install crossdomain on their machine or force teh sys admin (in case of LAN) to install cross domain inside the LAN? How about some security through democracy?How many times does the average person click OK on a signed applet or ActiveX permission screen and end up regreting it?dosTed Patrick [EMAIL PROTECTED] wrote:1. Delegate security to the server side on a domain/subdomain basis. 2. Enable high and low ports access. 3. Prevent Flash Player from being used as "denial of service" toolset. Crossdomain.xml has really improved things, it was a great addition to the player at the release of Flash Player 7. I complained about it but eventually I saw the light. Cheers, Cynergy Systems, Inc. Theodore Patrick Sr. Consultant [EMAIL PROTECTED] tel: 1.866.CYNERGY http://www.cynergysystems.com From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of dos dedos Sent: Monday, March 27, 2006 6:14 PM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] Re: Flex 2: about "potential" HTTPService timeout/security issues ... thanks! bwt, does anyone know what is the security scenario that promoted the introduction of the crossdomain requirement? it would be educating to know Carson Hager [EMAIL PROTECTED] wrote: You will need a crossdomain file. � � -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.3.2/293 - Release Date: 3/26/2006 Blab-away for as little as 1¢/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com SPONSORED LINKS Web site design development Computer software development Software design and development Macromedia flex Software development best practice YAHOO! GROUPS LINKS Visit your group "flexcoders" on the web. To unsubscribe from this group, send an email to:[EMAIL PROTECTED] Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
RE: [flexcoders] Re: Flex 2: about potential HTTPService timeout/security issues ...
You have the purpose backwards. (There's an
entirely different mechanism for what trust you want to grant to a particular
SWF.)
The point is fora server owner to prevent you from
distributing a SWF that canact as a distributeddenial-of-service
attack on a server.
Consider the case of some web forum that lets you upload a
SWF as an image. Every person who visits the page runs that SWF. It
would thus be bad if the SWF was allowed to connect to some site that the SWF
author wanted to crash.
Dig it?
-rg
From:
flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of
dos dedosSent: Monday, March 27, 2006 7:58 PMTo:
flexcoders@yahoogroups.comSubject: RE: [flexcoders] Re: Flex 2: about
"potential" HTTPService timeout/security issues ...
(I'm still in complaining mode)ActiveX and Java used
applet signing to solve this ...Wouldn't it be better to "respect" the
end user's right to choose whether or not to trust a given Flash app to do
what it's suppose to do rather than to force the user to install crossdomain
on their machine or force teh sys admin (in case of LAN) to install cross
domain inside the LAN? How about some security through
democracy?How many times does the average person click OK on a signed
applet or ActiveX permission screen and end up regreting
it?dosTed Patrick
[EMAIL PROTECTED] wrote:
1.
Delegate security to the server side on a domain/subdomain basis.2.
Enable high and low ports access. 3. Prevent Flash Player from being
used as "denial of service" toolset.<BR!> Crossdomain.xml has really
improved things, it was a great addition to the player at the release of
Flash Player 7. I complained about it but eventually I saw the
light.Cheers,Cynergy Systems, Inc.Theodore
PatrickSr. Consultant[EMAIL PROTECTED]tel:
1.866.CYNERGYhttp://www.cynergysystems.comFrom:
flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of
dos dedosSent: Monday, March 27, 2006 6:14 PMTo:
flexcoders@yahoogroups.comSubject: RE: [flexcoders] Re: Flex 2: about
"potential" HTTPService timeout/security issues ...thanks!
bwt, does anyone know what is the security scenario that promoted
the introduction of the crossdomain requirement? it would be educating to
know Carson Hager [EMAIL PROTECTED]
wrote:You will need a crossdomain file.��-- No
virus found in this outgoing message.Checked by AVG Free
Edition.Version: 7.1.385 / Virus Database: 268.3.2/293 - Release Date:
3/26/2006
Blab-away for as little as 1¢/min. Make PC-to-Phone
Calls using Yahoo! Messenger with Voice.
--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com
YAHOO! GROUPS LINKS
Visit your group "flexcoders" on the web.
To unsubscribe from this group, send an email to:[EMAIL PROTECTED]
Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
RE: [flexcoders] Re: Flex 2: about potential HTTPService timeout/security issues ...
In your example the SWF should not be allowed to connect to any server other than the server it was served from! That's by default.That is unless it is a SIGNED SWF where the end user may allow or deny it's request to execute with full permissions.If it works for Java and ActiveX it would work equally well for Flash ... I'm interested in understanding why the way it's done in Flash may be better ...dosRoger Gonzalez [EMAIL PROTECTED] wrote: You have the purpose backwards. (There's an entirely different mechanism for what trust you want to grant to a particular SWF.) The point is fora server owner to prevent you from distributing a SWF that canact as a distributeddenial-of-service attack on a server. Consider the case of some web forum that lets you upload a SWF as an image. Every person who visits the page runs that SWF. It would thus be bad if the SWF was allowed to connect to some site that the SWF author wanted to crash. Dig it? -rg From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of dos dedosSent: Monday, March 27, 2006 7:58 PMTo: flexcoders@yahoogroups.comSubject: RE: [flexcoders] Re: Flex 2: about "potential" HTTPService timeout/security issues ...(I'm still in complaining mode)ActiveX and Java usedapplet signing to solve this ...Wouldn't it be better to "respect" theend user's right to choose whether or not to trust a given Flash app to dowhat it's suppose to do rather than to force the user to install crossdomainon their machine or force teh sys admin (in case of LAN) to install crossdomain inside the LAN? How about some security throughdemocracy?How many times does the average person click OK on a signedapplet or ActiveX permission screen and end up regretingit?dosTed Patrick[EMAIL PROTECTED] wrote: 1. Delegate security to the server side on a domain/subdomain basis.2. Enable high and low ports access. 3. Prevent Flash Player from being used as "denial of service" toolset.<BR!> Crossdomain.xml has really improved things, it was a great addition to the player at the release of Flash Player 7. I complained about it but eventually I saw the light.Cheers,Cynergy Systems, Inc.Theodore PatrickSr. Consultant[EMAIL PROTECTED]tel: 1.866.CYNERGYhttp://www.cynergysystems.comFrom: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of dos dedosSent: Monday, March 27, 2006 6:14 PMTo: flexcoders@yahoogroups.comSubject: RE: [flexcoders] Re: Flex 2: about "potential" HTTPService timeout/security issues ...thanks! bwt, does anyone know what is the security scenario that promoted the introduction of the crossdomain requirement? it would be educating to know Carson Hager [EMAIL PROTECTED] wrote:You will need a crossdomain file.��-- No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.385 / Virus Database: 268.3.2/293 - Release Date: 3/26/2006 Blab-away for as little as 1�/min. Make PC-to-PhoneCalls using Yahoo! Messenger with Voice. New Yahoo! Messenger with Voice. Call regular phones from your PC for low, low rates. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com SPONSORED LINKS Web site design development Computer software development Software design and development Macromedia flex Software development best practice YAHOO! GROUPS LINKS Visit your group "flexcoders" on the web. To unsubscribe from this group, send an email to:[EMAIL PROTECTED] Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
RE: [flexcoders] Re: Flex 2: about potential HTTPService timeout/security issues ...
That is the reverse of the common philosophy on this issue. Usually, the end user is "trusted" with the decision because the assumption is that end user is A) not stupid and B) not evil.Defending all servers out there against the threat of an attack by all Flash clients (irrespective of their intent) means that all Flash clients are presumed guilty unless the server owner decides that they're not, but it is the end user who is able to judge whether a given Flash client is to be trusted or not. The server owner has no way of knowing because they're not the ones downloading the Flash content, the users are.So if the server owner (e.g. Amazon.com) decides to allow Flash clients to use its API but then they get hacked from a Flash client then they are to blame. And the chance that they would get hacked by a malicious Flash client is higher than the case where the end users get to judge whether a given Flash client can be trusted to exceute or not.Not trying to be a pain in the butt with my counter argument but I'm trying to probe the status quo to make sure that it makes sense.:)dosRoger Gonzalez [EMAIL PROTECTED] wrote: If I have a server that I want to protect, I don't care whether your SWF is signed, and I don't care whether you granted it permission, I don't want you connecting to me. It doesn't matter what YOU want to approve, it matters what the SERVER wants to approve. -rg From: flexcoders@yahoogroups.com[mailto:[EMAIL PROTECTED] On Behalf Of dosdedosSent: Monday, March 27, 2006 8:27 PMTo:flexcoders@yahoogroups.comSubject: RE: [flexcoders] Re: Flex 2: about "potential" HTTPService timeout/security issues ... In your example the SWF should not be allowed to connect toany server other than the server it was served from! That's bydefault.That is unless it is a SIGNED SWF where the end user may allowor deny it's request to execute with full permissions.If it works forJava and ActiveX it would work equally well for Flash ... I'minterested in understanding why the way it's done in Flash may be better...dosRoger Gonzalez [EMAIL PROTECTED]wrote: You have the purpose backwards. (There's an entirely different mechanism for what trust you want to grant to a particular SWF.) The point is fora server owner to prevent you from distributing a SWF that canact as a distributeddenial-of-service attack on a server. Consider the case of some web forum that lets you upload a SWF as an image. Every person who visits the page runs that SWF. It wou! ld thus be bad if the SWF was allowed to connect to some site that the SWF author wanted to crash. Dig it? -rg From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of dos dedosSent: Monday, March 27, 2006 7:58 PMTo: flexcoders@yahoogroups.comSubject: RE: [flexcoders] Re: Flex 2: about "potential" HTTPService timeout/security issues ...(I'm still in complaining mode)ActiveX and Javaused applet signing to solve this ...Wouldn't it be better to"respect" the end user's right to choose whether or not to trust a givenFlash app to do what it's suppose to do rather than to force the user toinstall crossdomain on their machine ! or force teh sys admin (in case of LAN) to install cross domain inside the LAN? How about somesecurity through democracy?How many times does the average personclick OK on a signed applet or ActiveX permission screen and end upregreting it?dosTed Patrick[EMAIL PROTECTED] wrote:1. Delegate security to the server side on a domain/subdomain basis.2. Enable high and low ports access. 3. Prevent Flash Player from being used as "denial of service" toolset.<BR!> Crossdomain.xml has really improved things, it was a great addition to the player at the release of Flash Player 7. I complained about it but eventually I saw the light.Cheers,Cynergy Systems, Inc.Theodore PatrickSr. Consultant[EMAIL PROTECTED]tel: 1.866.CYNERGYhttp://www.cynergysystems.comFrom: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of dos dedosSent: Monday, March 27, 2006 6:14 PMTo: flexcoders@yahoogroups.comSubject: RE: [flexcoders] Re: Flex 2: about "potential" HTTPService timeout/security issues ...thanks! bwt, does anyone know what is the security scenario that promoted the introduction of the crossdomain requirement? it would be educating to know Carson Hager [EMAIL PROTECTED] wrote:You will need a crossdomain file.��-- No virus found in this outgoing message.Checked by AVG Free Edition.Versi
