May 21, 2008

Cross-Domain 101

I have noticed some confusion around the different cross-domain loading mechanisms in Flash Player. Its a complex topic, so I figured I'd put together a 90 second primer on the differences.

Continue reading "Cross-Domain 101" »

Posted by Lucas Adamski at 09:58 PM | | Comments (1)

May 14, 2008

Flash and Advertising

Some concerns have been raised lately regarding malicious ads using Flash. The good news is there are already mechanisms in the Flash Player to effectively address these concerns.

I am simplifying here, but there are two main goals for web-based advertisements:
* advertisers want to present compelling, engaging advertisements
* advertisers want users to click through to their websites

Continue reading "Flash and Advertising" »

Posted by Lucas Adamski at 11:04 AM | | Comments (0)

February 27, 2008

Sanboxes in AIR

Some interesting questions have been raised regarding sandboxing in AIR, and whether the AIR Application sandbox is "weaker" than the equivalent browser sandbox.

On the face of this, this seems like a reasonable assumption to make. Simply adding system access to a browser sandbox would indeed be much scarier, but that is not what happened. In fact, AIR Application sandbox is significantly different from a browser sandbox insofar that many high-risk APIs have been disabled or severely restricted, making it far more difficult to attack such applications. So the AIR sandbox is not weaker than a browser sandbox; it is different, and in many respects stronger.

Continue reading "Sanboxes in AIR" »

Posted by Lucas Adamski at 12:13 PM | | Comments (0)

February 26, 2008

AIR Security

We just shipped Adobe AIR 1.0, check it out at http://www.adobe.com/products/air!

AIR lets web developers--whether HTML/AJAX, Flex or Flash--build rich and complex applications that run on the desktop. From a security standpoint, the "desktop" part of that is the key.

If you come from a web development background, you find that desktop applications differ significantly security-wise from apps based in the web browser. Desktop applications have direct access to the local system (insofar that the operating system permits, of course), but in return they must be explicitly installed by the user or system administrator.

Continue reading "AIR Security" »

Posted by Lucas Adamski at 03:48 PM | | Comments (2)

November 28, 2007

Don't be SSLy!

One of my pet rants is on SSL, or specifically the inappropriate use of SSL on large websites. This is hardly a novel problem, yet even Fortune 500 bank websites continue to make this glaring mistake on their homepages.

A common scenario:

You need to log into your bank / credit card / mortgage company. You go to http://www.pickabank.com, and up comes their home page with a typical login panel ("Login:", "Password:"). The URL is still HTTP but there's a nice padlock icon next to the "Submit" button, and lots of "Hacker safe" iconography everywhere. Having confidence that the site is truly "safe for hackers", you enter your information and hit submit. Right?

Continue reading "Don't be SSLy!" »

Posted by Lucas Adamski at 10:06 AM | | Comments (2)