[unisog] Flash "socket policy" servers on port 843?
atlunde at panix.com
Wed Dec 17 21:03:50 GMT 2008
Earlier this year Adobe started revising their security model for Flash
clients so that they sometimes try to look for a "socket policy" server on
TCP port 843, as well as looking for crossdomain.xml files on http servers.
Are you doing anything with this on web servers and/or firewalls?
I'm the web server administrator of a server with a number of virtual hosts
with content from different departments.
Looking at the documentation, as a server administrator, the whole scheme
seems kind of like robots.txt, in that one wants to declare a file with
policies appropriate to the server as a whole, but it's hard to aggregate
Reading Adobe documents make it sound like it is a good thing for Flash
security to declare a policy even if you aren't using Flash.
This port 843 server is _not_ a HTTP server, but something simpler that
just spits out a single XML document on a TCP connection. I've found
several short implementations, but I'm not confident that they are secure
or will scale to a large amount of traffic.
So I'm not rushing to set up such a server.
It seems possible to me that it may be useful to open port 843 in the
firewall to a web server, or have a firewall reject connections, even if
one is not running this server, so that flash clients trying to connect to
port 843 will get a prompt refusal, rather than waiting for a timeout.
(This is just me extrapolating from reading the documents, I haven't
found a definite statement that this is the case.)
(Our server has a fair number of swf files, but I don't _think_ they need
to do cross-domain connections. Web accessibility policy tends to put Flash
in a secondary role, rather than trying to build sites entirely with Flash.)
Albert Lunde albert-lunde at northwestern.edu
atlunde at panix.com (new address for personal mail)
albert-lunde at nwu.edu (old address)
More information about the unisog