security

Incrue · Post by **Incrue** » 21 Feb 2006, 11:51

I sugest that smart foox have something to know exactly to what swf he is sending the data, so that no other swf beyond my game can read those datas.
I dont know, using cookie maybe
Thats the only way to make a flash game not stealable
-----------
Other cool thing is to have some encryption, so that the swf can send data to the server and the server encrypts it and send back to the swf so that the swf can put encrypted cookies in the pc...and when he needs to read it he will do the same thing again with the server
Thats what i sugest.

Post by **Lapo** » 22 Feb 2006, 06:56

I sugest that smart foox have something to know exactly to what swf he is sending the data, so that no other swf beyond my game can read those datas.
I dont know, using cookie maybe
Thats the only way to make a flash game not stealable

Hi,
using SmartFoxServer you connect your SWF to a persistent socket connection, so no other users will be able to pretend to be you... it's even more secure than http cookies.
About the game not being stealable the problem is with the SWF format and the fact that it's easily decompilable.

Other cool thing is to have some encryption, so that the swf can send data to the server and the server encrypts it and send back to the swf so that the swf can put encrypted cookies in the pc...and when he needs to read it he will do the same thing again with the server

Nice one

We already implemented an encryption scheme for secure login, you can check this tutorial >> http://www.smartfoxserver.com/docs/docP ... cureLogin/

About message encryption it's in our todo-list in prioirity position. Now that Flash 8 has improved performance I think it's possible to implement a client side encryption/decryption system without too many slow downs

goodguy20k · Post by **goodguy20k** » 24 Feb 2006, 14:44

Sounds good, but I hope you're going to have it an option, like with sending stuff to extensions. Right now I use raw mode for position info, and I really don't need it encrypted, but encrypting messages from one person to another could be nice.

Incrue · Post by **Incrue** » 26 Feb 2006, 18:14

Lapo wrote:
I sugest that smart foox have something to know exactly to what swf he is sending the data, so that no other swf beyond my game can read those datas.
I dont know, using cookie maybe
Thats the only way to make a flash game not stealable
Hi,
using SmartFoxServer you connect your SWF to a persistent socket connection, so no other users will be able to pretend to be you... it's even more secure than http cookies.
About the game not being stealable the problem is with the SWF format and the fact that it's easily decompilable.

What i worry is:The guy stole my swf, decompile it, remove the url check and put MY multiplayer game in HIS site
There is any way to SmartFox send data only to swfs who cames from my domain?If there are not, that would be a good new thing
-------
Another thing is about other use for xmlSockets, wich is to store some of the data of a singlePlayerGame.That may be the only way to make a flash game unstealable.
But also, for this to work, the server has to have something to know whats the domain of the swf who wants to conect to him...So that the thief cant stole my swf, remove the url check and put in HIS site to conect to MY server

Post by **Lapo** » 26 Feb 2006, 22:06

What i worry is:The guy stole my swf, decompile it, remove the url check and put MY multiplayer game in HIS site
There is any way to SmartFox send data only to swfs who cames from my domain?If there are not, that would be a good new thing

A trick could be done using the crossdomain policy file.
This file is needed to the flash player in order to connect to an external domain.
Example:
- suppose your SWF is on www.mydomain.com and the multiplayer server is on IP 10.11.12.13

- you will need to put the crossdomain file in the root folder of the webserver running on 10.11.12.13 in order for the flash player to use it

- the file looks like this:

Code: Select all

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy 
  SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <allow-access-from domain="www.mydomain.com" />
</cross-domain-policy>

The SWF will be only able to connect if it's coming from www.mydomain.com, so if someone stole it won't work.

This however doesn't prevent someone to remotely incorporate the SWF file from his website, using an IFRAME or so...
Using some javascript it's probably not too difficult to avoid that problem too.

Incrue · Post by **Incrue** » 28 Feb 2006, 18:37

Good to know this!!!!!!!!!
In fact, its the best news ever!!!!!!!!!!!!!!
IM FOREVER BLOWING BUBBLES!!!!!!!!!!!!
PRETTY BUBBLES IN THE AIRR!!!!!!!

In fact, i dont care about iframe cos,besides the javascript thing, the server can command the swf to say:If you are not playing at www.myurl.com this game is stolen
And also, can make a php to change the name of the swf and the html(or another php) he is in times to times, so they will iframe the worng thing
THEY FLY SO HIGH THEY REACH THE SKYYYYYYYYYYYY!!!!!!!!!!!!!!!!!!!!!

Post by **Lapo** » 28 Feb 2006, 19:35

DiablodeMorte · Post by **DiablodeMorte** » 01 Mar 2006, 18:16

I do like his idea of the server checking the domain of the SWF tho. I don't know/think this is even possible but it would be cool if the server would say: "Hey! That swf file is not coming from sweetsmartfoxservergames.com. WTF?! I'm shutting him down"

Post by **Lapo** » 01 Mar 2006, 19:21

that's exactly what happens with the crossdomain policy file.
The flash player will refuse to connect if it's not coming from the right domain

Francois · Post by **Francois** » 28 Mar 2006, 12:25

Hi,
I'm currently testing SFS for the company I'm working at and I installed version 1.40 on my computer (Windows XP)...

My SWF is on a testing server

and

SFS is ruuning on my machine using my ip...

Where should I put the crossdomain.xml if I want to try that solution ???
On my computer but don't know where exactly.

Thank you guys

Post by **Lapo** » 28 Mar 2006, 12:31

There's no need to put the crossdomain. SFS generates it automatically by default.

You just need to include this line of Actionscript in your code:

Code: Select all

System.security.loadPolicyFile("xmlsocket://192.168.0.1:9339")

Just make sure to put your IP and port number.
The above code should be placed before the server connection.

For more details about how to configure the auto-generated policy file check this page > http://www.smartfoxserver.com/docs/docP ... basics.htm

Francois · Post by **Francois** » 28 Mar 2006, 14:11

You didn't understand me...

What I want is reject connections that are not coming from one of my domain...

How is it possible for SFS to know if the swf asking for connection is under one of my domain ? and not under someone else's domain...

I didn't specify the allowed domains anywhere... I'm not talking about the admin panel, only about my SFS itself.

Because an swf on www.someone-else-website.com using

Code: Select all

System.security.loadPolicyFile("xmlsocket://192.168.0.1:9339")

would be able to connect then...

And it is what I want to avoid

Post by **Lapo** » 28 Mar 2006, 14:27

Ok, sorry for the misunderstanding

In version 1.4.0 we've added a new tag: <PolicyAllowedDomains>
which allows to specify only the domains from which the swf is allowed to connect to the server.

Example:

Code: Select all

<PolicyAllowedDomains>
	<AllowedDomain>gotoandplay.it</AllowedDomain>
	<AllowedDomain>smartfoxserver.com</AllowedDomain>
</PolicyAllowedDomains>

This allows only SWFs coming from those 2 domains to connect to my server
More infos here: http://www.smartfoxserver.com/docs/docP ... basics.htm

Hope it helps

Francois · Post by **Francois** » 28 Mar 2006, 14:32

My bad:

Code: Select all

		<PolicyAllowedDomains>
			<AllowedDomain>site.dev</AllowedDomain>
			<AllowedDomain>www.site.com</AllowedDomain>
		</PolicyAllowedDomains>

That seems to work, good thing...

But on the other hand, if you download the swf file and you open it directly in flash player, you can connect !!!

So you can modify the ActionScript with a decompiler then cheat during the game

This is a big problem, I hope macromedia has it on their roadmap... How to be sure we can trust that the swf that is connecting to our server is trustable...

Is there a way to know if the swf is running locally or from the server to avoid cheaters... ???

Many thanks

Post by **Lapo** » 28 Mar 2006, 14:56

But on the other hand, if you download the swf file and you open it directly in flash player, you can connect

Oh yeah, that's how the sandbox works (no restrictions when running locally)
However this is not as dangerous as having hordes of swf from a high traffic domain connecting to your server.

A single user running a local swf can't do too much harm if you put the right amount of validations in your code (especially server side code)

This is a big problem, I hope macromedia has it on their roadmap... How to be sure we can trust that the swf that is connecting to our server is trustable..

There are many little things that can help:

1- Make your code modular and make it load different external pieces. Maybe even try to obfuscate the strings of the filenames inside your swf.

2- Use a code obfuscator

3- Use the policy file to stop unwanted domains

4- Use server side validation to avoid malicious requests

Is there a way to know if the swf is running locally or from the server to avoid cheaters... ???

Yep, the Flash _url property will tell you the location of the SWF. From it you can check if the file is running locally or not