[OSM-newbies] Rendering OSM without Adobe Flash

john whelan jwhelan0112 at gmail.com
Thu Nov 19 14:18:22 GMT 2009 

I do have a background in computer security at corporate level.  The
risk to the end user is they have no control over the web site but
they do have control over their machines and I think I'm right in
saying if Flash is not installed on the machine then there is no
security risk so I disagree with your statement "none are the Flash
Player itself.".  In technical terms not having Flash installed
reduces the attack surface.

The question was asked merely to see if there were alternatives
available for those who chose not to have Adobe Flash installed and
I'm very glad to see there are and to me that is the end of the
conversation.

Many thanks for your input.

Cheerio John

2009/11/19 Richard Fairhurst <richard at systemed.net>:
> John Whelan wrote:
>> Is it possible?  I note there is a major security problem with Adobe Flash.
>
> Er, no there isn't.
>
> Flash is far from perfect but this alleged 'exploit' is largely
> hysteria. There are three causes and none of them are the Flash Player
> itself:
>
> - Unconfigured webservers which don't send the correct
> Content-Type/Content-Disposition headers;
> - Browsers which don't parse Content-Type headers as they should;
> - Sites that allow users to upload arbitrary executables, including
> but not limited to Flash.
>
> Since OSM does not (to the best of my knowledge) allow such uploads,
> the issue doesn't arise.
>
> I would recommend reading:
> -
> http://blogs.pcmag.com/securitywatch/2009/11/so-called_flash_vulnerability.php
> - http://blogs.adobe.com/asset/2009/11/flash_content_and_the_same-ori.html
> -
> http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html (the
> article itself is largely hyperbole, but the comments are quite
> informative)
>
> One summary from the latter:
>
> "What this comes down to is that web site administrators (and
> application engineers) need to make sure that untrusted SWF content
> (e.g. message attachments) must not be served over HTTP - they need to
> make sure that the server forces the browser to download the SWF to
> their local filesystem. "
>
> Which is common sense.
>
> As others have pointed out, Flash has nothing to do with OSM rendering
> anyway and if you still like tin hats, other editors are available.
>
> cheers
> Richard
>
>
> _______________________________________________
> newbies mailing list
> newbies at openstreetmap.org
> http://lists.openstreetmap.org/listinfo/newbies
>

More information about the newbies mailing list