|
-
I think XML sockets in Flash are a fantastic idea. But, I can't help wonder how secure their usage is. I'm definately no security expert and I'd like to get some ideas from the community on how XML socket implementation might affect server security.
For instance:
How secure is TCP/IP compared to HTTP?
Does Flash support some kind of encryption or can anyone eaves drop on XML messages going to/from the server?
Is it possible for someone to hack my server though an open TCP/IP port?
What are your concerns out there, if any, regarding XML socket security?
Peace
-
Hi
I think this all depends on how the xml socket server is created.
As it is TCP/IP a user can essentially connect from any custom client, or telnet.
Socket servers which 'broadcast' are of no use, when it comes to security. As good as the free java servers are, anyone could telnet to the port and eavesdrop on ALL incoming and ougoing xml messages.
We've created a socket server, which only sends messages to the user it was intended. If you don't log on, you can't see anything.
A Handshake could be a good way of creating 'extra' security which I'll implement when I have a spare 5 minutes.
Steve
http://www.flashnexus.com
-
>How secure is TCP/IP compared to HTTP?
HTTP is TCP/IP what would be more precise is
how do HTTP and flash XMLSocket compare
or how do Apache and FlashNow compare.
(sorry FlashNow http://www.nowcentral.com is my product so ignore that loud honk you hear it's my horn)
A XMLSocket server is probably more secure than a web server in general. A web server has rights to read files from your computer and send them out to people.
with cgi (or asp etc...) it has the rights to execute various code or programs on your computer.
so if your not careful how you configure it it can be very dangerous.
a XMLSocket server would generally not do these things and is probably a simpler program.
on the other hand, it probably has had less thorough testing and development than say Apache has.
> Does Flash support some kind of encryption or can anyone eaves drop on XML messages going to/from the server?
no encryption is built-in to flash, whatever encoder/decoder you could build in ActionScript could be used, but it's not going to be in the same league as SSL.
> Is it possible for someone to hack my server though an open TCP/IP port?
OK, I KNOW NOTHING ABOUT SECURITY!! but ...
what is an "open port"? If I don't have a fire wall but am running no software on my computer (which obviously I is a silly thing to say since my OS is a piece of software) then there is absolutely no risk.
realistically allowing your computer to talk to the Internet is dangerous but if you are not running a piece of software on that port then there is little that can be done (denial of service by repeated requests I guess) if you are running a benign and well written piece of software be it client or server then you are safe.
If you are running some piece of software which purposefully or accidentally gives others access to your computer then well your in trouble.
> What are your concerns out there, if any, regarding XML socket security?
Denial of Service attacks are possible.
Exploiting bugs in the Server are possible.
-
As it is TCP/IP a user can essentially connect from any custom client, or telnet.
True but less frightening than it may sound, you can telnet to a web server and type GET, and it will send you a html page, but this is not dangerous.
it is insecure communications since you can get all the messages but it does not make the server or client computers insecure.
You can not get telnet/shell access to a computer unless the server you are connecting to is a telnet server.
-
So when can we start using the XMLSSLsocket?? Anyone?
What I get from this discussion is: If alternative is loadVariables("http://...."): XML is better.
else if you need to use loadVariables("https://...): It is not and will never be safe enough...
Sjur
PS: Will there be problems using loadVariables or getURL on secure servers? https?
-
Senior Member
I see the biggest problem with Socket Servers at the moment is that it is relatively difficult to build and customise a socket server to your needs, while get XML from a web server, whether dynamically or statically is relative easy.
Also look at the list of bugs and security patches that have been made on practically any web server and you will see the number of issues that arrise.
Is you XML socket server going to be able to cope as well as these web servers are? Especially if you are building the socket server from scratch yourself probably not. Something like the socket server at http://www.flashnexus.com will come close to being better security but it will take some time to iron out all the possible bugs.
Thanks
Luke
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote