What are the risks of having secure=false in a crossdomain.xml

Question

The allow-access-from node has an optional attribute 'secure'. So say the crossdomain.xml on mysite.com has:

<allow-access-from domain="subdomain.example.com" secure="false">

If this is set to true (default), a flash client retrieved over HTTP cannot access data on the mysite.com over HTTPS.

I can only think of one risk in setting secure to false: A user with a poisoned host file or DNS server might be diverted to a flash client on a fake http://subdomain.example.com. This flash client can now access sensitive data on mysite.com (assuming our user is logged in to mysite.com).

Are there any further risks? I assume the data is still encrypted, as the client is connecting to an https server, so it is protected on the transport.

I've read the Flash security white paper, and it didn't go into any details on risks: http://www.adobe.com/devnet/flashplayer/articles/flash_player10_security_wp.html

Thanks!

Answer 1

While any data sent to your SWF will be secure (assuming it's connected to via HTTPS), data sent to the SWF from a third party would not be secure via this setup as you already know.

For example, I log in to your swf with my social security number. The connection to the SWF is secure so I'm "safe" there. However, your SWF sends the login data to your server via HTTP to verify my credentials. Upon receiving valuable data from your server with an unsecured connection, security is compromised.

You're safe if the data is not-important, but by rule of thumb I would always connect HTTPS to HTTPS when it's possible.

Regards-