[osflash] secure my application...

Samuel Agesilas samuel at modulous.net
Tue Nov 6 14:01:46 PST 2007 

Marcelo,

Ahh... ok. Cool! If I may ask another question that I neglected to  
post and that is what kind of back end technology are you using? Java,  
PHP, ASP.NET?

Cheers,
Sam

On Nov 6, 2007, at 3:54 PM, Marcelo de Moraes Serpa wrote:

> Hello Samuel,
>
>> If I may chime in this discussion.. what are you trying to protect?  
>> The
>> actual swf or access to services exposed in the swf?
>
> Yes, it wans't clear. Actually I'm not really trying to protect the
> SWF but instead restrict the ways it can be served. Mine is an
> application somewhat like youtube but more restricted, so, I wouldn't
> want anyone to get the URL and play the videos anywhere (outside of
> the allowed domain).
>
> On Nov 6, 2007 4:41 PM, Samuel Agesilas <samuel at modulous.net> wrote:
>> Marcelo,
>>
>> If I may chime in this discussion.. what are you trying to protect?  
>> The
>> actual swf or access to services exposed in the swf?
>>
>> cheers,
>> Sam
>>
>>
>>
>> On Nov 4, 2007, at 6:42 PM, Jonathan Valliere wrote:
>>
>> Marcelo,
>>
>> As far as referrer checking, your going to need to search google or  
>> get in
>> touch with a Red5 developer ( put it on the Red5 mailing list ).
>>
>> Encryption:  You can load in SWF binary via ByteArray and  
>> encryption can be
>> done with ByteArray data ( that can be loaded via .. Loader ?? ).
>> Essentially you encrypt your SWF binary ( and store it encrypted on  
>> the
>> server ) and load it in over HTTPs and decrypt it based on a public/ 
>> private
>> key based on a secondary encryption mechanism located inside the  
>> first one
>> and load into a SWFLoader at runtime.  Run the entire application  
>> over HTTPs
>> with cache off and it should be pretty dam secure.
>>
>> http://en.wikipedia.org/wiki/Public-key_cryptography
>>
>> http://en.wikipedia.org/wiki/Encryption
>>
>> http://en.wikipedia.org/wiki/Topics_in_cryptography
>>
>> I bet there are a lot of good books on Cryptography.
>>
>> -Jon
>>
>>
>> On Nov 4, 2007, at 7:24 PM, Marcelo de Moraes Serpa wrote:
>> Hello Jonathan,
>>
>>> You could protect swfs over RTMP via Red5 to make sure of a correct
>> referrer.
>>
>>
>>> You could also load in an encrypted SWF that contains a secondary
>> encrypted Binary file that self-decrypts ( and runs ) and is  
>> responsible for
>> referrer / self-authentication over HTTPS / RTMP.
>>
>>
>> Any examples or maybe pointers to articles that elaborate on these
>> techniques?
>>
>> Thanks,
>>
>> Marcelo.
>>
>>
>>
>> On 11/4/07, Jonathan Valliere <sybersnake at gmail.com> wrote:
>>>
>>> yeah but you can't protect against everything.  you can encrypt  
>>> your swfs,
>> decrypt them clientside but that could also ultimately be faked  
>> given enough
>> time and data capture.
>>>
>>>
>>> You could protect swfs over RTMP via Red5 to make sure of a correct
>> referrer.  You could also load in an encrypted SWF that contains a  
>> secondary
>> encrypted Binary file that self-decrypts ( and runs ) and is  
>> responsible for
>> referrer / self-authentication over HTTPS / RTMP.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Nov 4, 2007, at 12:23 PM, Marcelo de Moraes Serpa wrote:
>>>
>>>
>>>> Red the URL from the browser and see if the domain is valid.  I  
>>>> forget
>> how to get it normally but in Flex you get it this way
>>>>
>>>
>>> Yes, but one could possibly decompile the SWF and remove this code  
>>> (since
>> it is client side).
>>>
>>>
>>> On 11/4/07, Jonathan Valliere <sybersnake at gmail.com > wrote:
>>>>
>>>> Red the URL from the browser and see if the domain is valid.  I  
>>>> forget
>> how to get it normally but in Flex you get it this way
>>>>
>>>>
>>>> Application( Application.application ).url
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Nov 3, 2007, at 11:40 AM, Jean-Philippe DELAVALLADE wrote:
>>>>
>>>> It's perhaps a solution
>>>> but i prefer using a referer like in Flash Media Server
>>>> I don't find it in RED5
>>>>
>>>>
>>>>
>>>> Le 3 nov. 07 à 16:23, Marcelo de Moraes Serpa a écrit :
>>>>
>>>> Hmm.. yep, haven't though about the domain restrictions of the  
>>>> player,
>> it might work!
>>>>
>>>> @Paul: Afaik, it works like this: When the player downloads a SWF  
>>>> from a
>> domain, it looks for a crossdomain.xml file that in turns contains  
>> rules on
>> which other domains are allowed to play your SWF files you are  
>> serving
>> through your domain. Please someone correct-me if I'm wrong.
>>>>
>>>> Cheers,
>>>>
>>>> Marcelo.
>>>>
>>>>
>>>> On 11/3/07, Jean-Philippe DELAVALLADE < jeanphide at orange.fr> wrote:
>>>>>
>>>>> Thanks Paul :)
>>>>> Add a cross-domain policy, which prevents unauthorized domains  
>>>>> from
>> accessing your assets.
>>>>> but how ??
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Le 3 nov. 07 à 14:42, paul|LOWRES a écrit :
>>>>>
>>>>>
>>>>>
>>>>> maybe a cross-domain policy is, what you are looing for?
>>>>>
>>>>>
>>>>>
>>>>>
>> http://livedocs.adobe.com/flash/9.0/UsingFlash/help.html?content=WSd60f23110762d6b883b18f10cb1fe1af6-7b35.html
>>>>>
>>>>>
>>>>> cheers,
>>>>> paul
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Am 03.11.2007 um 14:01 schrieb Marcelo de Moraes Serpa:
>>>>>
>>>>> Hello Jean,
>>>>>
>>>>> I'm also searching for a way to restrict my flash application in a
>> domain. Actually I thought in serving the SWF through a script  
>> instead of
>> letting the webserver serve it so that I could do this referrer check
>> server-side (Using Ruby/Rails or PHP for example). Code to check the
>> referrer in the SWF could work but someone could decompile your SWF  
>> and
>> remove this check.
>>>>>
>>>>> If someone got some ideas regarding that, please share!
>>>>>
>>>>> Marcelo.
>>>>>
>>>>>
>>>>> On 10/26/07, Jean-Philippe DELAVALLADE < jeanphide at orange.fr>  
>>>>> wrote:
>>>>>>
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>>
>>>>>> I would like to protect my application, do a referrer in fact
>>>>>> I've tried this code but the server never run with that :
>>>>>>
>>>>>>
>>>>>> public boolean appConnect(IConnection conn, Object[] params) {
>>>>>>    String pageUrl =  
>>>>>> (String)conn.getConnectParams().get( "pageUrl"
>> );
>>>>>>    log.debug( "L'URL de la pages est : " +pageUrl);
>>>>>>    if(pageUrl != "http://mydomain"){
>>>>>> return false;
>>>>>>         }
>>>>>> Can you show me the way, in order to my appli just run under my
>> domain ?
>>>>>>
>>>>>>
>>>>>> Thanks guys
>>>>>>
>>>>>>
>>>>>> JP
>>>>>> _______________________________________________
>>>>>> osflash mailing list
>>>>>> osflash at osflash.org
>>>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> osflash mailing list
>>>>> osflash at osflash.org
>>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>>>>
>>>>> _______________________________________________
>>>>> osflash mailing list
>>>>> osflash at osflash.org
>>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> osflash mailing list
>>>>> osflash at osflash.org
>>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> osflash mailing list
>>>> osflash at osflash.org
>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>>>
>>>>
>>>> _______________________________________________
>>>> osflash mailing list
>>>> osflash at osflash.org
>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>>>
>>>> _______________________________________________
>>>> osflash mailing list
>>>> osflash at osflash.org
>>>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> osflash mailing list
>>> osflash at osflash.org
>>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>>
>>> _______________________________________________
>>> osflash mailing list
>>> osflash at osflash.org
>>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>>
>>>
>>
>> _______________________________________________
>> osflash mailing list
>> osflash at osflash.org
>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>> _______________________________________________
>> osflash mailing list
>> osflash at osflash.org
>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>
>>
>> _______________________________________________
>> osflash mailing list
>> osflash at osflash.org
>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>>
>>
>
> _______________________________________________
> osflash mailing list
> osflash at osflash.org
> http://osflash.org/mailman/listinfo/osflash_osflash.org

More information about the osflash mailing list