[unisog] Flash "socket policy" servers on port 843?

Albert Lunde atlunde at panix.com
Wed Dec 17 21:03:50 GMT 2008


Earlier this year Adobe started revising their security model for Flash
clients so that they sometimes try to look for a "socket policy" server on
TCP port 843, as well as looking for crossdomain.xml files on http servers.

Are you doing anything with this on web servers and/or firewalls?

I'm the web server administrator of a server with a number of virtual hosts
with content from different departments.

Looking at the documentation, as a server administrator, the whole scheme
seems kind of like robots.txt, in that one wants to declare a file with
policies appropriate to the server as a whole, but it's hard to aggregate
automatically.

Reading Adobe documents make it sound like it is a good thing for Flash
security to declare a policy even if you aren't using Flash.

This port 843 server is _not_ a HTTP server, but something simpler that
just spits out a single XML document on a TCP connection. I've found
several short implementations, but I'm not confident that they are secure
or will scale to a large amount of traffic.

So I'm not rushing to set up such a server.

It seems possible to me that it may be useful to open port 843 in the
firewall to a web server, or have a firewall reject connections, even if
one is not running this server, so that flash clients trying to connect to
port 843 will get a prompt refusal, rather than waiting for a timeout.

(This is just me extrapolating from reading the documents, I haven't
found a definite statement that this is the case.)

(Our server has a fair number of swf files, but I don't _think_ they need
to do cross-domain connections. Web accessibility policy tends to put Flash
in a secondary role, rather than trying to build sites entirely with Flash.)

Related articles:

<http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html>

<http://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html>

-- 
    Albert Lunde  albert-lunde at northwestern.edu
                  atlunde at panix.com  (new address for personal mail)
                  albert-lunde at nwu.edu (old address)



More information about the unisog mailing list