Security Basics mailing list archives
Re: Securing Flash Games.
From: "Dan Crowley" <dan.crowley () gmail com>
Date: Wed, 10 Dec 2008 16:44:34 -0500
Flash, being a technology that runs on the client side, will always be subject to modification. Consider all data coming from the application to be tainted. Furthermore, any sort of encryption that you use will be difficult (if not impossible) to enforce. Any algorithm or key used will still be stored in the flash file, and all it takes is some reversing to pull it out. All of a sudden, users can send messages as if they were the flash game, using your encryption key and algorithm. Even worse, there are more considerations than the strength of the encryption scheme. Let's say, for example, that you have a flash poker game. For the sake of argument, you find some way to make the encryption scheme impossible for the user to break. Then, a malicious user (Let's call him Mallet) decides to run a packet sniffer on his machine. Mallet picks up the packets his computer sends to the game server. He's down $300, and finally manages to win a piddly $5 back. Mallet then isolates the packet sent after winning those $5 and sends it again. And again. And again, ad nauseum, until he's doing very well indeed at poker. There are ways to prevent this, but still... Put as much of the process on the server as possible. As long as the logic is on the client side, it will never be secure. -- Dan Crowley "One machine can do the work of one hundred ordinary men. No machine can do the work of an extraordinary man."
Current thread:
- Re: Securing Flash Games., (continued)
- Re: Securing Flash Games. Robert Larsen (Dec 10)
- Re: Securing Flash Games. Feeyo|NixDevs (Dec 10)
- Re: Securing Flash Games. Tim Clewlow (Dec 10)
- Message not available
- Fwd: Securing Flash Games. Michal Lovas (Dec 10)
- Re: Securing Flash Games. Razi Shaban (Dec 10)
- Re: Securing Flash Games. NixDevs | Feeyo (Dec 11)
- Re: Securing Flash Games. Maciej Lisiewski (Dec 12)
- Re: Securing Flash Games. Feeyo|NixDevs (Dec 10)
- Re: Securing Flash Games. Robert Larsen (Dec 10)
- Re: Securing Flash Games. Razi Shaban (Dec 10)
- Re: Securing Flash Games. Feeyo|NixDevs (Dec 10)
- RE: Securing Flash Games. Murda Mcloud (Dec 12)
- RE: Securing Flash Games. Pranav Lal (Dec 16)