<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Marcelo,<div><br class="webkit-block-placeholder"></div><div>If I may chime in this discussion.. what are you trying to protect? The actual swf or access to services exposed in the swf?</div><div><br class="webkit-block-placeholder"></div><div>cheers,</div><div>Sam</div><div><br><div><div>On Nov 4, 2007, at 6:42 PM, Jonathan Valliere wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "> Marcelo,<div><br></div><div>As far as referrer checking, your going to need to search google or get in touch with a Red5 developer ( put it on the Red5 mailing list ).</div><div><br class="webkit-block-placeholder"></div><div>Encryption: You can load in SWF binary via ByteArray and encryption can be done with ByteArray data ( that can be loaded via .. Loader ?? ). Essentially you encrypt your SWF binary ( and store it encrypted on the server ) and load it in over HTTPs and decrypt it based on a public/private key based on a secondary encryption mechanism located inside the first one and load into a SWFLoader at runtime. Run the entire application over HTTPs with cache off and it should be pretty dam secure.</div><div><br class="webkit-block-placeholder"></div><div><a href="http://en.wikipedia.org/wiki/Public-key_cryptography">http://en.wikipedia.org/wiki/Public-key_cryptography</a></div><div><br class="webkit-block-placeholder"></div><div><a href="http://en.wikipedia.org/wiki/Encryption">http://en.wikipedia.org/wiki/Encryption</a></div><div><br class="webkit-block-placeholder"></div><div><a href="http://en.wikipedia.org/wiki/Topics_in_cryptography">http://en.wikipedia.org/wiki/Topics_in_cryptography</a></div><div><br class="webkit-block-placeholder"></div><div>I bet there are a lot of good books on Cryptography.</div><div><br class="webkit-block-placeholder"></div><div>-Jon</div><div><br><div><div>On Nov 4, 2007, at 7:24 PM, Marcelo de Moraes Serpa wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Hello Jonathan,<br><br><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">You could protect swfs over RTMP via Red5 to make sure of a correct referrer. </blockquote><div><br> </div><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">You could also load in an encrypted SWF that contains a secondary encrypted Binary file that self-decrypts ( and runs ) and is responsible for referrer / self-authentication over HTTPS / RTMP.</blockquote><div><br><br>Any examples or maybe pointers to articles that elaborate on these techniques?<br><br>Thanks,<br><br>Marcelo. <br></div><br><br><br><div><span class="gmail_quote">On 11/4/07, <b class="gmail_sendername"> Jonathan Valliere</b> <<a href="mailto:sybersnake@gmail.com">sybersnake@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div style=""> yeah but you can't protect against everything. you can encrypt your swfs, decrypt them clientside but that could also ultimately be faked given enough time and data capture.<div><br></div><div>You could protect swfs over RTMP via Red5 to make sure of a correct referrer. You could also load in an encrypted SWF that contains a secondary encrypted Binary file that self-decrypts ( and runs ) and is responsible for referrer / self-authentication over HTTPS / RTMP. <div><span class="e" id="q_1160bb90adca4552_1"><br><div><br></div><div><br><div><div>On Nov 4, 2007, at 12:23 PM, Marcelo de Moraes Serpa wrote:</div><br><blockquote type="cite"><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote"> Red the URL from the browser and see if the domain is valid. I forget how to get it normally but in Flex you get it this way <br></blockquote><br>Yes, but one could possibly decompile the SWF and remove this code (since it is client side). <br><br><div><span class="gmail_quote">On 11/4/07, <b class="gmail_sendername">Jonathan Valliere</b> <<a href="mailto:sybersnake@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">sybersnake@gmail.com </a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div> Red the URL from the browser and see if the domain is valid. I forget how to get it normally but in Flex you get it this way <div><br></div><div>Application( Application.application ).url<div><span> <div><br></div><div><br><div><div>On Nov 3, 2007, at 11:40 AM, Jean-Philippe DELAVALLADE wrote:</div><br><blockquote type="cite">It's perhaps a solution <div>but i prefer using a referer like in Flash Media Server</div> <div>I don't find it in RED5</div><div><br><div><div>Le 3 nov. 07 à 16:23, Marcelo de Moraes Serpa a écrit :</div><br><blockquote type="cite">Hmm.. yep, haven't though about the domain restrictions of the player, it might work! <br><br>@Paul: Afaik, it works like this: When the player downloads a SWF from a domain, it looks for a crossdomain.xml file that in turns contains rules on which other domains are allowed to play your SWF files you are serving through your domain. Please someone correct-me if I'm wrong. <br><br>Cheers,<br><br>Marcelo.<br><br><div><span class="gmail_quote">On 11/3/07, <b class="gmail_sendername">Jean-Philippe DELAVALLADE</b> <<a href="mailto:jeanphide@orange.fr" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> jeanphide@orange.fr</a>> wrote:</span> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div>Thanks Paul :)<div><span style="font-family: Verdana; font-size: 11px; line-height: 16px;"> Add a cross-domain policy, which prevents unauthorized domains from accessing your assets.</span></div><div><font face="Verdana" size="3"><span style="font-size: 11px; line-height: 16px;">but how ??</span></font></div><div> <br></div><div><div><div>Le 3 nov. 07 à 14:42, paul|LOWRES a écrit :</div><div><span><br><blockquote type="cite"><div>maybe a cross-domain policy is, what you are looing for?<div> <br></div><div><div style="margin: 0px;"> <a href="http://livedocs.adobe.com/flash/9.0/UsingFlash/help.html?content=WSd60f23110762d6b883b18f10cb1fe1af6-7b35.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> http://livedocs.adobe.com/flash/9.0/UsingFlash/help.html?content=WSd60f23110762d6b883b18f10cb1fe1af6-7b35.html </a></div><div style="margin: 0px;"><br></div><div style="margin: 0px;">cheers,</div><div style="margin: 0px;"> paul</div><div style="margin: 0px;"><br></div><div style="margin: 0px;"><br></div><div><div>Am 03.11.2007 um 14:01 schrieb Marcelo de Moraes Serpa: </div><br><blockquote type="cite">Hello Jean,<br><br>I'm also searching for a way to restrict my flash application in a domain. Actually I thought in serving the SWF through a script instead of letting the webserver serve it so that I could do this referrer check server-side (Using Ruby/Rails or PHP for example). Code to check the referrer in the SWF could work but someone could decompile your SWF and remove this check. <br><br>If someone got some ideas regarding that, please share!<br><br>Marcelo.<br><br><div><span class="gmail_quote">On 10/26/07, <b class="gmail_sendername">Jean-Philippe DELAVALLADE</b> <<a href="mailto:jeanphide@orange.fr" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> jeanphide@orange.fr</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div style="margin: 0px;"><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> Hello,</font></div><div style="margin: 0px; min-height: 15px;"><br></div><div style="margin: 0px;"><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> I would like to protect my application, do a referrer in fact</font></div><div style="margin: 0px;"><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> I've tried this code but the server never run with that :</font></div><div style="margin: 0px; min-height: 15px;"><br></div><div style="margin: 0px;"><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal; color: rgb(124, 22, 85);" color="#7c1655" face="Monaco" size="3"> public</font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> </font> <font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal; color: rgb(124, 22, 85);" color="#7c1655" face="Monaco" size="3"> boolean</font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> appConnect(IConnection conn, Object[] params) { </font></div><div style="margin: 0px;"><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> <span style="white-space: pre;"> </span>String pageUrl = (String)conn.getConnectParams().get(</font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal; color: rgb(20, 72, 255);" color="#1448ff" face="Monaco" size="3"> "pageUrl"</font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> );</font></div><div style="margin: 0px;"><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> <span style="white-space: pre;"> </span></font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal; color: rgb(0, 55, 195);" color="#0037c3" face="Monaco" size="3"> log</font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3">.debug( </font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal; color: rgb(20, 72, 255);" color="#1448ff" face="Monaco" size="3"> "L'URL de la pages est : "</font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> +pageUrl);</font></div><div style="margin: 0px;"><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> <span style="white-space: pre;"> </span></font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal; color: rgb(59, 108, 194);" color="#3b6cc2" face="Monaco" size="3"> if(pageUrl</font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> </font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal; color: rgb(59, 108, 194);" color="#3b6cc2" face="Monaco" size="3"> !=</font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> </font> <font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal; color: rgb(59, 108, 194);" color="#3b6cc2" face="Monaco" size="3"> "<a href="http://mydomain/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font style="color: rgb(0, 68, 242);" color="#0044f2"><u>http://mydomain</u></font></a>"){</font></div><div style="margin: 0px;"> <font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"><span style="white-space: pre;"> </span></font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal; color: rgb(59, 108, 194);" color="#3b6cc2" face="Monaco" size="3"> return</font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> </font> <font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal; color: rgb(59, 108, 194);" color="#3b6cc2" face="Monaco" size="3"> false;</font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> </font> </div><div style="margin: 0px;"><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> <span style="white-space: pre;"> </span> </font><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal; color: rgb(59, 108, 194);" color="#3b6cc2" face="Monaco" size="3"> }</font></div><div style="margin: 0px;"><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> Can you show me the way, in order to my appli just run under my domain ?</font></div><div style="margin: 0px; min-height: 14px;"><br></div><div style="margin: 0px;"><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> Thanks guys</font></div><span><div style="margin: 0px; min-height: 14px;"><br></div><div style="margin: 0px;"><font style="font-family: Monaco; font-style: normal; font-variant: normal; font-weight: normal; font-size: 11px; line-height: normal; font-size-adjust: none; font-stretch: normal;" face="Monaco" size="3"> JP</font></div> </span></div><br>_______________________________________________<br>osflash mailing list<br><a href="mailto:osflash@osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">osflash@osflash.org </a><br><a href="http://osflash.org/mailman/listinfo/osflash_osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> http://osflash.org/mailman/listinfo/osflash_osflash.org</a><br><br></blockquote> </div><br> _______________________________________________<br>osflash mailing list<br><a href="mailto:osflash@osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">osflash@osflash.org</a><br> <a href="http://osflash.org/mailman/listinfo/osflash_osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://osflash.org/mailman/listinfo/osflash_osflash.org</a><br></blockquote></div><br> </div></div>_______________________________________________<br>osflash mailing list<br><a href="mailto:osflash@osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">osflash@osflash.org</a><br> <a href="http://osflash.org/mailman/listinfo/osflash_osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://osflash.org/mailman/listinfo/osflash_osflash.org</a><br></blockquote></span> </div> </div><br></div></div><br>_______________________________________________<br>osflash mailing list<br><a href="mailto:osflash@osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">osflash@osflash.org </a><br><a href="http://osflash.org/mailman/listinfo/osflash_osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> http://osflash.org/mailman/listinfo/osflash_osflash.org</a><br><br></blockquote> </div><br> _______________________________________________<br>osflash mailing list<br><a href="mailto:osflash@osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">osflash@osflash.org</a><br> <a href="http://osflash.org/mailman/listinfo/osflash_osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://osflash.org/mailman/listinfo/osflash_osflash.org</a><br></blockquote></div><br> </div><div style="margin: 0px;">_______________________________________________</div><div style="margin: 0px;">osflash mailing list</div><div style="margin: 0px;"><a href="mailto:osflash@osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> osflash@osflash.org</a></div><div style="margin: 0px;"><a href="http://osflash.org/mailman/listinfo/osflash_osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://osflash.org/mailman/listinfo/osflash_osflash.org </a></div> </blockquote></div><br></div></span></div></div></div><br>_______________________________________________<br>osflash mailing list<br><a href="mailto:osflash@osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> osflash@osflash.org</a><br><a href="http://osflash.org/mailman/listinfo/osflash_osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://osflash.org/mailman/listinfo/osflash_osflash.org</a> <br><br></blockquote></div><br><div style="margin: 0px;">_______________________________________________</div><div style="margin: 0px;">osflash mailing list</div><div style="margin: 0px;"><a href="mailto:osflash@osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> osflash@osflash.org</a></div><div style="margin: 0px;"><a href="http://osflash.org/mailman/listinfo/osflash_osflash.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://osflash.org/mailman/listinfo/osflash_osflash.org </a></div> </blockquote></div><br></div></span></div></div></div><br>_______________________________________________<br>osflash mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:osflash@osflash.org"> osflash@osflash.org</a><br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://osflash.org/mailman/listinfo/osflash_osflash.org" target="_blank">http://osflash.org/mailman/listinfo/osflash_osflash.org</a> <br><br></blockquote></div><br><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">_______________________________________________</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">osflash mailing list</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><a href="mailto:osflash@osflash.org">osflash@osflash.org</a></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><a href="http://osflash.org/mailman/listinfo/osflash_osflash.org">http://osflash.org/mailman/listinfo/osflash_osflash.org</a></div> </blockquote></div><br></div></div>_______________________________________________<br>osflash mailing list<br><a href="mailto:osflash@osflash.org">osflash@osflash.org</a><br>http://osflash.org/mailman/listinfo/osflash_osflash.org<br></blockquote></div><br></div></body></html>