flash and security

[moot]

isn't flash pretty much the same thing as an html form as far as secure servers and aspx, cf, or php are concerned? putting a form inside an swf on a secure server that submits to a page on that same server is as secure as forms get, correct?

there's nothing more secure about an html/javascript page generated by serverside scripting than flash is there?

i know about hackers accessing databases and taking vital info but how to they intercept submissions?

pro's/megaposters, please answer

i've written cold fusion sites for years but never adminned so never had to worry about security.

thanks!!!

[Musicman]

Hi,

you are right - a flash form usually sends the same data to a server as a html form. So all the problems that the serverside code might have with forms input are the same. In particular, if a form sends data that is used to query or update a database, and you allow improper input, the db could be attacked (read about "sql injection")

About intercepting secure servers: I recently visited an IT trade fair, and one of the products shown there was a "https interceptor". Its operation is quite simple: when you try to open a https page, you actually connect to the interceptor. The interceptor sends a fake certificate back to the browser and then connects to the real server. The one and only prerequisite for this kind of sniffing: the browser needs to accept the fake cert as valid, i.e. the interceptor must be installed as a CA. It seems quite easy to do that in corporate environments where users are not allowed to install their own software, and so cannot use a different browser (which might still complain about the fake cert)

In special cases, flash can add to the security by using some mild encryption in the movie. Of course a movie can be decompiled in order to reverse the algorithm, and there cannot be a secret key either. However, it is possible to change the algorithm every time, and so a sniffer who wants to download the movie and analyze it after seeing the encrypted data would just download the wrong code

Musicman

[Sybersnake]

yea..

your stuff is really only as secure as the entry to your backend.

[moot]

thanks for replying

what i thought, what i always thought, cause that's what i was told by a wise ubergeek

so how about this statement:

"the client's browser is in charge of the front end. the serverside scripting is in charge of the backend. whatever damage you could do "through" flash to any particular application, you could also do "through" an html, aspx, cf, or php form. security is enforced exactly the same way with or without flash."

i know about the decompiling or character searching.

yeah the randomly generated key is what i was thinking of too. not that i really care about security, it's just that "security" was a hotword being thrown around by an asp lamer. encrypting before submitting is a one-up on whatever asp template javascript onBlur nonsense he can come up with.

[Sybersnake]

flash can be just as secure as any javascript/html app, possibly even more so because of the extra decompile step. The important thing is that it is not any less secure than any other major client side technology out there. With AS3, your going to see us being able to stream the entire application via sockets with an authentication so only a mini app loads and the rest is securely fed to it (and its not cached and decompile is impossible because there is nothing to decompile)