————————————-
Here is the meat of the initial e-mail:
An acquaintance of mine noticed something unusual while going through a privacy page today, and with a little bit of research via Google, here is what he discovered. Without trumpets or fanfare, without public announcement, and in most cases without any mention of this on their privacy page, a majority of websites have started to use a little-known feature of the common Adobe Flash Player plug-in to track user movements through the Internet. Adobe Flash can write files to your computer similar in nature to a cookie, a type of file called a Local Shared Object. These Super Cookies have been enhanced over what ordinary cookies can do:
* they can be up to 100k in size or more, compared to 4k for a browser cookie;
* they never expire;
* the built-in privacy features in the browser are entirely unaware of their presence and they neither block nor delete them;
* they work across browsers, so that a site visited in Internet Explorer could track site visits made by Firefox, for example;
* they can (and do) resurrect browser cookies that the user deleted (e.g., you can set your browser to automatically delete all cookies when it exits, but the next time you start it up again — they’re baaaack!);
* they are capable of storing any information entered in a Flash-based form (e.g. names, passwords, credit card numbers), and any other site could be capable of reading them (not to overly alarm anyone - this is an unlikely scenario but is only mentioned to describe what is technically possible).
In addition, Adobe Flash Player has started to use a Peer-to-Peer file sharing model (like Bittorrent and various other file sharing services). What this means is that if you visit a particular website and its Flash content is downloaded to your computer (a YouTube video for example), that in future when another visitor views the same Flash content, rather than downloading all of that file from the website, the peer-to-peer technology will grab that file from your computer and the computer of other users that viewed that file. While this does not pose a security risk, it does use your upload bandwidth and computer resources without your consent. If you use your Internet connection for telephone service this will degrade voice quality, particularly for the other person (not so much for you, unless that other person has a Flash player serving files too). If your service provider has a monthly limit for uploads and downloads (and a lot of them hate peer-to-peer traffic) this could cause you problems.
————————————–
Well now here are some truths:
The Cookies:
Yes, Flash Player can store browser-independent cookies, yes they don’t usually get removed when the user clears his browser cookies, BUT :
A cookie written by 1 domain can only be read by that particular domain. This means that if a Flash app stores some confidential information on the computer, only applications from the same website can read that information. Cookies are stored in a specific folder and Flash Player applications have access just to that folder.
As for the details in the shared objects/cookies, it’s quite possible to get the data out of them if the application is the owner but just straight sharing any file on your hard drive can’t happen without you specifically asking it to.
The P2P stuff:
In my opinion this is the part that would have been scary if what was written originally was true. So I have tried to compile as much info regarding the P2P technology as I could.
P2P is an interesting approach for the Flash Platform, especially for video sharing. It clearly doesn’t work for progressive download (eg Youtube).
Where P2P makes a lot of sense is a situation where, for example you have three people in your household watching the World Cup. Rather than downloading three copies of the live-stream, you can have one client download it, and share it with the others in your household (which would have a very fast speed and ping rating). You, of course would authorize the P2P transfer to these users, so all three of you could watch the HD version, rather than the SD version due to bandwidth.
Yes, a dialogue box will be presented to the user before p2p can be initiated. Bottom line is that p2p does not happen without user consent. As far as P2P goes, as mentioned, this does not happen without user authorization. And once authorized it is restricted to that particular domain and not a free for all.
And yes, that part about YouTube videos being served by your machine to other users is total BS. Even if Flash wanted to share downloaded videos it could not simply pull them out of the browser cache. Moreover Youtube would have to deploy such functionality AND a user would have to grant permission. P2P in Flash can be used for small scale replication of files amongst a known group of peers and is also great for efficient live broadcasts (essentially relaying received bits out of RAM, not from the hard drive).
“In addition, Adobe Flash Player has started to use a Peer-to-Peer file sharing model (like Bittorrent and various other file sharing services). What this means is that if you visit a particular website and its Flash content is downloaded to your computer (a YouTube video for example), that in future when another visitor views the same Flash content, rather than downloading all of that file from the website, the peer-to-peer technology will grab that file from your computer and the computer of other users that viewed that file.”
Also, this could only work if you still had the website and the flash swf open and running at the same time. It’s not something that can eat up bandwidth in the background after the fact.
Here is a link on the p2p stuff – http://labs.adobe.com/technologies/stratus/
———————-
Here’s an info quote from a primary engineer who does work on P2P:
Regarding the P2P stuff: shanigans! that isn’t how our P2P stuff works. sensationalist FUD.
For one, the P2P stuff that’s “like Bittorrent and various other file sharing services” can only be used in Flash Player if the user agrees to the “Peer Assisted Networking” dialog. and while that choice *can* be remembered, it’s per-domain (of the SWF), and remembering is not the default (so the user is asked every time the SWF starts and wants to do P2P stuff). so there’s no “[using] your upload bandwidth and computer resources without your consent” it’s exactly the opposite of that.
Second: Even if the user agreed in the “Peer Assisted Networking” dialog, Flash Player has no “background” mode, so if the user closes his browser, FP stops running. so if the user had given his consent for P2P activity, and P2P action was happening, it would stop as soon as the user moved to a different page or closed the window.
Third: Flash Player can only access the user’s file system to read/write files through a file access dialog box, so the only data that can be conveniently shared P2P is data already in Flash Player’s memory. It certainly can’t go grub around on the user’s disk and share files that were downloaded in the past or something. it can ask the user to select a file to read (in its entirety) into memory in the standard file finder dialog, or write a file (in its entirety) to disk through a similar dialog.
Fourth: the “like Bittorrent” P2P mode of RTMFP (we call it “object replication”) requires considerable developer effort to use; it is not automatic. Even P2P multicast (which is only for live content) requires a non-zero developer effort to use. So it’s not the case that using Flash Player 10.1 automatically makes you into a file sharing fiend. And in fact from the previously stated points, it’s not possible (invisibly, without the user’s consent and heavy involvement) to turn the user into a file sharing fiend at all.
Basically, the fears specific to P2P are unfounded.
—————-
Some informative links on the subject:
http://www.adobe.com/products/flashplayer/articles/lso/
http://blogs.adobe.com/jd/2010/01/private_browsing.html
http://blogs.adobe.com/jd/2010/01/inside_adobe_security.html