In the first part of this blog I told you how to use the basic Flash configuration utility. This blog is for the techies. This time I’ll share with you how to shut the doors on Flash and only open them to the sites you want to trust.

Very few people seem to know that you can actually configure Flash through a configuration file. The configuration file is meant for network administrators to be able to deploy Flash and control how it works, but you can use the configuration file on your own PC as well. By using this configuration file you can stop the online advertisers from spying on you, however, to do so means that a lot of websites do not work properly. Of course, if “works properly” means they get to spy on you then it isn’t such a compromise.

You can find the details for the configuration file in a document that Adobe publishes at http://www.adobe.com/content/dam/Adobe/en/devnet/flash/articles/flash_player_admin_guide/flash_player_admin_guide.pdf

There are far more settings than the mostly worthless, online Flash Settings Manager allows. You can block ALL flash and then make exceptions for sites you trust. There are far too many settings for me to explain each one. This blog is not going to be a tutorial on the configuration file. If you have the skills to use the file then you can figure it out for yourself.

For an example, I created a configuration file with the following content:

LocalStorageLimit = 1
AssetCacheSize = 0
ThirdPartyStorage = 0
AssetCacheSize = 0
AutoUpdateInterval = 1
LegacyDomainMatching = 0
LocalFileLegacyAction = 0

This configuration stopped Disney, MTV, ESNP, and ABC (all defendants in privacy violation lawsuits) from writing LSOs to my hard drive. Sites, such as Disney were pretty unusable in terms of viewing graphic content. Sites like ABC broke in some, but not all cases.

There is one spy aspect of Flash that this configuration did not stop. Adobe has a default cookie that records each Flash enabled site you visit. Using the web-based Flash Settings Manager, if you go to the website privacy settings or storage setting panels and delete all websites it will delete this history from the default cookie, but what if you don’t want the sites written at all? I decided to see if I would prevent this from happening. The default cookie is called settings.sol and its location depends upon your operating system and version. I first use the web-based panels to configure flash how I wanted and then marked settings.sol as read only.  Next I went to sites that use flash and went back to check the settings.sol file. I think it is appropriate to mention here that “SOL” in English is an acronym for Sh*t Out of Luck. I do not think this is a coincidence. When I went to look at the sol file I discovered that Flash had written a file called settings.sxx that contained the website I had visited. After marking both the sol and sxx files as read only, Flash finally stopped tracking the websites I visit.

The least intelligent readers will assume that if you have nothing to hide then there isn’t a problem with Adobe creating a list of websites you visit. The more astute readers will realize that this list can be used for targeted advertising. Additionally, if you click on a poisoned search result from Google and get redirected to a porn site that contains child pornography, the sol may be used as forensic evidence that you visited that site.

The MMS.CFG configuration file is a powerful tool for techies to control Adobe Flash. The functionality should be an integral part of Flash for everyone. Flash should never, ever install without configuration options, but that would detract from the spy capacity of Flash and I don’t think Adobe has any desire to put privacy into the hands of the average user.
 
The next blog will discuss some tools that people can use to make some compromises that allow them to use Flash enabled sites and to some degree limit the spying. Currently there is no real balance, Adobe needs to redesign the Flash model from the ground up if Flash is to be better than a spammers tool of choice.

Randy Abrams
Director of Technical Education
ESET LLC