A coworker of mine has been researching secure Flex 2 remote object calls to ColdFusion cfc’s over HTTPS. Seems simple enough, but anytime sensitive information is passed over the Internets I’d really like it to be bulletproof. Sure, I’m comfortable with HTTPS, but opening a flash swf over HTTP and trusting that it’s using HTTPS behind the scenes makes me a queasy system admin.

By default, a Flash movie can only access data through the exact domain where it was itself accessed. So, when you open a Flash swf over HTTP it can’t open a remote object over HTTPS to the same domain. The data host server can be tweaked to allow HTTP to HTTPS communication. But do I really want to make this tweak?

Adobe has this to say about it in a Flash tech note:

A secure server that allows access to movies hosted via a non-secure protocol
It is not advisable to permit HTTP content to access HTTPS content. This practice can compromise the security offered by HTTPS.

Most of the developers using our CF servers for Flex purposes are only using HTTPS for authentication. The rest of their app data is generally non-sensitive and doesn’t require encryption.

Is there really a security risk in opening a swf over HTTP and then making HTTPS remote object calls? If the endpoint is set in the Flex 2 app to an https address, all signs indicate that communication from the swf is going over HTTPS.