[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnash-dev] Re: Building in security

From: Eric Hughes
Subject: [Gnash-dev] Re: Building in security
Date: Wed, 02 May 2007 06:56:30 -0600

At 03:19 AM 5/2/2007, Udo Giacomozzi wrote:
Allow me this question: What *real* security risk is there when a
Flash movie loads data from wherever it likes?
So, I'm curious about any real security risk scenario involved with
loading/exchanging data from anywhere.

These days, there aren't very many practical attacks that, in isolation, with a single step, lead to a breach. Instead, combinations of methods, some apparently trivial, create a chain of action that lead in total to a security. So the kind of scenario you're looking for will involve arbitrary other things that might happen, in combination with the designated security-issue-at-question, and may seem like cheating, because it involves pulling rabbits out of hats.

Now, look!, nothing up my sleeve. Arbitrary data exchange is a foundation for DDOS (distributed denial of service), for example, which provides a generic class of malicious use of clients. What are the other details? I can't say right now. What I can say is that allowing arbitrary operations by a client is the moral equivalent of providing a programmable network server. Would you grant login/password to every web site you visit?

To approach to security in this environment is to focus on preserving some set of invariants of authorized use. What those invariants are I cannot say yet.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]