[DFRI-listan] Re: What to expect when running Flash proxy

[David Fifield <david@xxxxxxxxxxxxxxx>]

On Thu, Jun 27, 2013 at 12:28:18PM +0200, Linus Nordberg wrote:
> (CC a publicly archived list with DFRI people on it.)
> 
> We're discussing a couple of things regarding Flash proxy as part of
> deciding what to tell our users about it.
> 
> One question that has popped up is how much bandwidth and CPU load one
> should expect to be consumed by running it.

Bandwidth use is by default unlimited. You can set a bandwidth limit by
query string:
	embed.html?ratelimit=200k

While polling, the proxy code makes one HTTP request every 10 minutes.
This interval might change in the future (probably to get longer).

I haven't measured CPU usage. But the main loop is just reading from one
socket and writing to another. The proxy isn't doing any crypto or
anything.

> Another one is what security issues there could be as a result of
> running a flash proxy.

The biggest danger, I think, is if someone gets control of the host that
serves flashproxy.js. (Or does something equivalent through DNS spoofing
for example.) Then web browsers would be running JavaScript of an
attacker's choice. (Of course the same danger exists with any kind of
hotlinked JavaScript. For example an attacker with access to
http://code.jquery.com/jquery.js would be able to control a lot of
computers.)

Otherwise I don't think there's much security risk. The only network
traffic transmitted by the proxy is encrypted, either HTTPS or Tor. A
malicious client could, I suppose, send a small amount of arbitrary
data, but only until the Tor relay kills the connection. Browsers
connecting to a Tor relay might upset some very restrictive firewalls, I
suppose.

There is always the general risk of running code in a browser, but flash
proxy is probably safer than most web apps in that regard. The weirdest
thing it does is probably WebSocket.

David Fifield