[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[DFRI-listan] Re: What to expect when running Flash proxy
On Thu, Jun 27, 2013 at 12:28:18PM +0200, Linus Nordberg wrote:
> (CC a publicly archived list with DFRI people on it.)
> We're discussing a couple of things regarding Flash proxy as part of
> deciding what to tell our users about it.
> One question that has popped up is how much bandwidth and CPU load one
> should expect to be consumed by running it.
Bandwidth use is by default unlimited. You can set a bandwidth limit by
While polling, the proxy code makes one HTTP request every 10 minutes.
This interval might change in the future (probably to get longer).
I haven't measured CPU usage. But the main loop is just reading from one
socket and writing to another. The proxy isn't doing any crypto or
> Another one is what security issues there could be as a result of
> running a flash proxy.
The biggest danger, I think, is if someone gets control of the host that
serves flashproxy.js. (Or does something equivalent through DNS spoofing
attacker's choice. (Of course the same danger exists with any kind of
http://code.jquery.com/jquery.js would be able to control a lot of
Otherwise I don't think there's much security risk. The only network
traffic transmitted by the proxy is encrypted, either HTTPS or Tor. A
malicious client could, I suppose, send a small amount of arbitrary
data, but only until the Tor relay kills the connection. Browsers
connecting to a Tor relay might upset some very restrictive firewalls, I
There is always the general risk of running code in a browser, but flash
proxy is probably safer than most web apps in that regard. The weirdest
thing it does is probably WebSocket.