[osflash] secure my application...

Jonathan Valliere sybersnake at gmail.com
Sun Nov 4 16:42:17 PST 2007 

Marcelo,

As far as referrer checking, your going to need to search google or  
get in touch with a Red5 developer ( put it on the Red5 mailing list ).

Encryption:  You can load in SWF binary via ByteArray and encryption  
can be done with ByteArray data ( that can be loaded via ..  
Loader ?? ).  Essentially you encrypt your SWF binary ( and store it  
encrypted on the server ) and load it in over HTTPs and decrypt it  
based on a public/private key based on a secondary encryption  
mechanism located inside the first one and load into a SWFLoader at  
runtime.  Run the entire application over HTTPs with cache off and it  
should be pretty dam secure.

http://en.wikipedia.org/wiki/Public-key_cryptography

http://en.wikipedia.org/wiki/Encryption

http://en.wikipedia.org/wiki/Topics_in_cryptography

I bet there are a lot of good books on Cryptography.

-Jon

On Nov 4, 2007, at 7:24 PM, Marcelo de Moraes Serpa wrote:

> Hello Jonathan,
>
> You could protect swfs over RTMP via Red5 to make sure of a correct  
> referrer.
>
>
> You could also load in an encrypted SWF that contains a secondary  
> encrypted Binary file that self-decrypts ( and runs ) and is  
> responsible for referrer / self-authentication over HTTPS / RTMP.
>
>
> Any examples or maybe pointers to articles that elaborate on these  
> techniques?
>
> Thanks,
>
> Marcelo.
>
>
>
> On 11/4/07, Jonathan Valliere <sybersnake at gmail.com> wrote:
> yeah but you can't protect against everything.  you can encrypt  
> your swfs, decrypt them clientside but that could also ultimately  
> be faked given enough time and data capture.
>
> You could protect swfs over RTMP via Red5 to make sure of a correct  
> referrer.  You could also load in an encrypted SWF that contains a  
> secondary encrypted Binary file that self-decrypts ( and runs ) and  
> is responsible for referrer / self-authentication over HTTPS / RTMP.
>
>
>
> On Nov 4, 2007, at 12:23 PM, Marcelo de Moraes Serpa wrote:
>
>> Red the URL from the browser and see if the domain is valid.  I  
>> forget how to get it normally but in Flex you get it this way
>>
>> Yes, but one could possibly decompile the SWF and remove this code  
>> (since it is client side).
>>
>> On 11/4/07, Jonathan Valliere <sybersnake at gmail.com > wrote:
>> Red the URL from the browser and see if the domain is valid.  I  
>> forget how to get it normally but in Flex you get it this way
>>
>> Application( Application.application ).url
>>
>>
>> On Nov 3, 2007, at 11:40 AM, Jean-Philippe DELAVALLADE wrote:
>>
>>> It's perhaps a solution
>>> but i prefer using a referer like in Flash Media Server
>>> I don't find it in RED5
>>>
>>> Le 3 nov. 07 à 16:23, Marcelo de Moraes Serpa a écrit :
>>>
>>>> Hmm.. yep, haven't though about the domain restrictions of the  
>>>> player, it might work!
>>>>
>>>> @Paul: Afaik, it works like this: When the player downloads a  
>>>> SWF from a domain, it looks for a crossdomain.xml file that in  
>>>> turns contains rules on which other domains are allowed to play  
>>>> your SWF files you are serving through your domain. Please  
>>>> someone correct-me if I'm wrong.
>>>>
>>>> Cheers,
>>>>
>>>> Marcelo.
>>>>
>>>> On 11/3/07, Jean-Philippe DELAVALLADE < jeanphide at orange.fr> wrote:
>>>> Thanks Paul :)
>>>> Add a cross-domain policy, which prevents unauthorized domains  
>>>> from accessing your assets.
>>>> but how ??
>>>>
>>>> Le 3 nov. 07 à 14:42, paul|LOWRES a écrit :
>>>>
>>>>> maybe a cross-domain policy is, what you are looing for?
>>>>>
>>>>> http://livedocs.adobe.com/flash/9.0/UsingFlash/help.html? 
>>>>> content=WSd60f23110762d6b883b18f10cb1fe1af6-7b35.html
>>>>>
>>>>> cheers,
>>>>> paul
>>>>>
>>>>>
>>>>> Am 03.11.2007 um 14:01 schrieb Marcelo de Moraes Serpa:
>>>>>
>>>>>> Hello Jean,
>>>>>>
>>>>>> I'm also searching for a way to restrict my flash application  
>>>>>> in a domain. Actually I thought in serving the SWF through a  
>>>>>> script instead of letting the webserver serve it so that I  
>>>>>> could do this referrer check server-side (Using Ruby/Rails or  
>>>>>> PHP for example). Code to check the referrer in the SWF could  
>>>>>> work but someone could decompile your SWF and remove this check.
>>>>>>
>>>>>> If someone got some ideas regarding that, please share!
>>>>>>
>>>>>> Marcelo.
>>>>>>
>>>>>> On 10/26/07, Jean-Philippe DELAVALLADE < jeanphide at orange.fr>  
>>>>>> wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I would like to protect my application, do a referrer in fact
>>>>>> I've tried this code but the server never run with that :
>>>>>>
>>>>>> public boolean appConnect(IConnection conn, Object[] params) {
>>>>>>     	String pageUrl = (String)conn.getConnectParams().get 
>>>>>> ( "pageUrl" );
>>>>>>     	 log.debug( "L'URL de la pages est : " +pageUrl);
>>>>>>     	 if(pageUrl != "http://mydomain"){
>>>>>>  	 return false;
>>>>>>         	 }
>>>>>> Can you show me the way, in order to my appli just run under  
>>>>>> my domain ?
>>>>>>
>>>>>> Thanks guys
>>>>>>
>>>>>> JP
>>>>>>
>>>>>> _______________________________________________
>>>>>> osflash mailing list
>>>>>> osflash at osflash.org
>>>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> osflash mailing list
>>>>>> osflash at osflash.org
>>>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>>>>
>>>>> _______________________________________________
>>>>> osflash mailing list
>>>>> osflash at osflash.org
>>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>>>
>>>>
>>>> _______________________________________________
>>>> osflash mailing list
>>>> osflash at osflash.org
>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>>>
>>>>
>>>> _______________________________________________
>>>> osflash mailing list
>>>> osflash at osflash.org
>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>>
>>> _______________________________________________
>>> osflash mailing list
>>> osflash at osflash.org
>>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>
>>
>> _______________________________________________
>> osflash mailing list
>> osflash at osflash.org
>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>
>>
>> _______________________________________________
>> osflash mailing list
>> osflash at osflash.org
>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>
>
> _______________________________________________
> osflash mailing list
> osflash at osflash.org
> http://osflash.org/mailman/listinfo/osflash_osflash.org
>
>
> _______________________________________________
> osflash mailing list
> osflash at osflash.org
> http://osflash.org/mailman/listinfo/osflash_osflash.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://osflash.org/pipermail/osflash_osflash.org/attachments/20071104/b52bc5b3/attachment-0001.html

More information about the osflash mailing list