Some questions about security

Need help with SmartFoxServer? You didn't find an answer in our documentation? Please, post your questions here!

Moderators: Lapo, Bax

Post Reply
bulma171
Posts: 1
Joined: 19 Mar 2006, 16:55

Some questions about security

Postby bulma171 » 19 Mar 2006, 17:37

hello All,

1)How can I hide the address of connection to SmartFoxServer in my swf ?

2) If a « hacker » can find this address by décompiling my swf it will be able easily to then realize that I use smartFoxServer and will be able to use the functions of SmartFoxServer api on my server...

Do you have some solutions for this security problem ?


Thankyou very much and sorry for my english :oops:
Top
User avatar
Virusescu
Posts: 260
Joined: 07 Sep 2005, 09:36
Location: [RO]Bucharest
Contact:
Contact Virusescu

Postby Virusescu » 19 Mar 2006, 20:20

How can I hide the address of connection to SmartFoxServer in my swf ?

Because of the way flash works you can't hide data from users. You can't even hide the source code, alas some hardcoded ip string. Even if the ip is not in the swf the connection estabilished between the client and the server can still be seen with a packet sniffer.

You can make it harder to find but I don't see any reason why you should do this.
And this brings us to your second question

If a « hacker » can find this address by décompiling my swf it will be able easily to then realize that I use smartFoxServer and will be able to use the functions of SmartFoxServer api on my server...


If you take your time to read trough the configuration of the server you will find out that you can restrict from SFS the IPs from wich the server accepts connections ;). And that blows preety much away the takeover attempts of hackers.

In your config XML file you have

Code: Select all

<AdminAllowedAddresses>
   <AllowedAddress>*.*.*.*</AllowedAddress>
</AdminAllowedAddresses>

You can add multiple nodes to allow multiple addresses but make sore to remove the *.*.*.* one so that you don't allow all addresses.
function onJoin(usr) {if (usr.getName() == "Lapo") trace ("All Hail Lapo");}
Top
User avatar
Lapo
Site Admin
Posts: 23027
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 19 Mar 2006, 23:15

1)How can I hide the address of connection to SmartFoxServer in my swf ?

- try encrypting the IP string with a simple or not so simple ecryption system (there are various open source implementations of different encryption/decryption algorithms for flash)
- Use external SWFs to make your swf more modular and more difficult to reverse-engineer
- user a swf code obfuscator


2) If a « hacker » can find this address by décompiling my swf it will be able easily to then realize that I use smartFoxServer and will be able to use the functions of SmartFoxServer api on my server...

We provide many tools for avoiding hacking problems. With the new version 1.4.0 (soon to be released) we'll add even more security tools >> http://www.smartfoxserver.com/docs/docP ... _1.4.0.htm

Another simple and effective technique is to specify in your crossdomain policy file that only SWFs coming from your domain are allowed to connect. In other words any other hacked SWF trying to connect from another domain won't be able to access SmartFoxServer.

:)

p.s. = check this too > http://www.smartfoxserver.com/docs/docP ... vanced.htm
Lapo
--
gotoAndPlay()
...addicted to flash games
Top
Post Reply

Return to “SmartFoxServer 1.x Discussions and Help”

Who is online

Users browsing this forum: No registered users and 73 guests