Building trust in Flash-based RIAs: a security feature request

Writing about secure passwords in Buzzword got me thinking about the state of security and user trust in Flash (and Flex)-based Rich Internet Applications in general. After giving it some thought, I concluded that we have a little more work to do if users are to be expected to have the same sort of trust in Flash-based RIAs as they do for JavaScript and HTML-based applications and web sites.

The key security issue I see with Flash applications, especially those that deal with sensitive information, is that the user has no way of knowing whether or not the application is communicating their sensitive data over a secure connection.

In a traditional web application, on the other hand, serving the application over HTTPS makes the security lock icon display in the browser and thus alert the user that their data is being handled securely. If a traditional web application then tries to make an HTTP call, the user is alerted to this.

The security lock icon tells users that their data will be sent securely to the server.

In the comments to my previous post, for example, I asked whether Buzzword sends my usersame and password over HTTPS and David Colleta replied that it does. Now I trust David, of course, but what mechanism does Joe User have to trust Jane Developer when it comes to how RIAs handle data in general?

The problem I'm describing manifests itself differently based on whether you examine how it affects users or developers:

Users: A false sense of security

A Flash-based RIA is served over HTTPS. The user sees the security lock icon in their browser and thinks that any data they provide will be securely transfered to the server.

Problem: Unfortunately, the security lock only means that the application itself is being securely transmitted. Internally, the application can transfer the user's sensitive data in clear text for the world to see via HTTP and the user would be none the wiser.

Developers: How can I say "this application really is secure?"

A developer creates an application that handles sensitive data and makes sure that every data call in the application is over HTTPS. The application itself, however, is served over HTTP and so the user does not see the security lock icon in her browser and chooses not to trust the application.

Of course, the application can tell the user what it's doing but again, the user would have to trust that the application wasn't lying.

As you can see, the current state of affairs benefits neither the user nor the developer.

From the developer's perspective, there is no way, currently, of communicating to the user that the application transfers data securely short of loading the whole application over HTTPS. And, as far as the user is concerned, an application that is served over HTTPS can still make HTTP calls and compromise the user's data without the user being alerted to this fact.

One possible solution

One possible solution to this is to have Flash applications that are loaded over HTTPS display a dialog box before attempting to do an HTTP call and to give the user the option to cancel the call if they want to.

A similar feature exists in browsers already where a browser will warn you if you are about to leave an HTTPS session using a dialog box that looks like this:

JavaScript alert warning the user that they are about to leave a secure session.

What I'm proposing is a similar dialog to warn users if a SWF that is loaded over HTTPS attempts to make an HTTP call:

A proposed JavaScript alert to warn users that a Flash application served over HTTPS is about to make an unsecure HTTP call

This one enhancement should go a long way in giving developers a way of saying "this application handles your data securely" and help build trust in users.

I feel that this will become more of an issue as more RIAs start handling sensitive data like credit card details and I would love to see some proactive steps taken by Adobe to address it in upcoming versions of the Flash player.