Re: Flash sites

[ADex <hercules_84058 () yahoo com>]

 As with most things regarding security. The "safest" or most secure thing is
reliant upon the person securing it, and the tools they use in order to aid
them in doing so. Although you didn't mention the server aspect, directly, I do
agree that the server is ultimately what you want to secure, and also potential
information that may leak either from the file or the server.
 You've brought up an interesting point, and I would have to say that in my
opinion to limit the flash file's interaction with other scripts, processes, or
files you are limiting the insecurity somewhat, but it could also be argued
that you were increasing the insecurity as well. For instance limiting the
information you want to present to a user to one flash file, or even multiple
flash files, would allow you to prevent the server from having much interaction
with the file, or indirectly the client thereby decreasing the insecurity. You
have to consider, as others have said, that flash files are client side, and
any information they contain is open to anyone who wants to read it thereby
increasing the amount of insecurity. On the other hand if your flash file were
to connect to another script, file, or service, it would yes increase the
amount of security constraints, but it would also allow you to secure them
seperately and protect the information contained within them. Therefore I say
that the security is ultimately determined by the person securing it. It has
generally been my contention that it is better to use multiple layers of
security as opposed to a single layer (as most would probably agree). But
bringing in multiple layers of security also brings in more potential
vulnerabilities, and also more work for the person in charge.
 From an auditing aspect I agree with the consensus of the rest of the group in
saying that you are likely to find little problems from a flash file isolated
from everything else. I wouldn't agree that it would be the safest simply
because the potential information that may escape to the client side, and if
nothing else the designer's name, and methods of design could be considered
valuable information in some cases, which is most often included somewhere
within the flash file. But this is also the case with a simple HTML file linked
to nothing else. 

Summary: I think that it is about 50:50 between security and insecurity. And
probably just as secure or possibly less than other client side web languages.

Aj Dexter


> On Wednesday, September 3, 2003, at 09:14 AM, John Madden wrote:
> Hello all,
>
> If a web site contains only flash files and has no
> write permissions to modify those flash files, no
> default files or other potentially dangerous scripts
> can we say that is the "safest" form of a web site ?
>
> Are there any other concerns in auditing a flash based
> site ?
>
> Thanks
>
> John
>
> _________

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com