Secure transactions through a Flash-based storefront

* Macromedia’s Flash-based approach to securing Web transactions

After I discussed the forthcoming Macromedia Studio 8 in a previous newsletter reader Mark Sires wrote, “I went to the Macromedia site to order Studio 8 after your glowing review of it… However, as I began to check out, I noticed that the [Macromedia Online Store] was not secure even though it was asking for my credit card. No lock symbol in IE, address was http, not https.”

Mark wound up purchasing by telephone because of the lack of obvious security. This was an interesting issue, so I asked Macromedia about it and got the following reply from Christian Elgart, chief application architect for Macromedia’s Web Technology Group:

“Macromedia's Online Store has two presentation layers, one in Flash, and one in HTML. When a customer accesses the Flash-based storefront, the Flash Store movie is sent to that customer's browser inside of an HTML hosting template. This communication is done over HTTP as it does not contain any customer data, simply the <object> and <embed> tags that position the movie in the page. Once the Flash movie loads within the customer's browser, the movie makes a separate connection to Macromedia's commerce servers over HTTPS/SSL using Macromedia's Flash Remoting technology.

“Macromedia's Flash Remoting technology bypasses the browser, meaning the browser never sees it, which is why the padlock stays in an unlocked state, even though the Flash Remoting calls are done over HTTPS. This can easily be verified by running this traffic through a proxy, or logging IP packet traffic at the customer machine level.

“While Macromedia could have loaded the Flash Store hosting template over HTTPS, this would have conveyed a false sense of security, as that would have only secured the transmission of the HTML hosting template, and not the customer data which was already being transmitted via Flash Remoting over HTTPS… Customers that are still not comfortable with this solution have the option of visiting the HTML-based storefront where the padlock will appear in the browser as expected.”

Mark’s comment on this was that this was “an interesting response, and one anyone wanting to use Flash technology for a storefront, or other ‘secure’ application will have to consider. I personally am not comfortable using an Internet site for ‘secure’ information that I can’t easily verify is secure. Since my main development area is healthcare, I doubt that I would use it for any of my development where patient data is involved. Companies expecting consumers to buy the old ‘trust me, it’s really secure’ statement aren’t being very realistic. I think Macromedia will have a tough time selling this in the marketplace; with security breaches reported daily, trust levels on the Internet are appropriately low.”

In light of my comments last time about consumer confidence in and the security issues regarding banks abandoning SSL-based logins, I’m curious to know whether the above is a concern to any of you developing Flash-based content. Is this a deal breaker? Is there a workaround? Let me know.

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022