What settings for flash player to use to protect Privacy ?

What settings are recommended in Flash Player to protect Privacy ?

Yes cookies are a big threat against our privacy…but a big problem is also the flash player…

Their’s only few things we can do to prevent things from happening through Flash Player; that is either sandboxing it along with the browsers that we use; other than that it’s typically up to the developers

Privacy wise theres not much you can do, thats the attraction of Flash for advertisers, it has an invisible clickmap and scripting to watch everything you do, even your mouse movements, and multiple realtime communication methods.

Dont believe me ? then have a read from the horses mouth …

In that pdf there is something that is not very well known - The admin mms.cfg file

Its just a text file (you can make it with notepad, but you also have to go to control panel, folder options, and enable being able to see file extensions … so that you can change the mms.txt file created with notepad to be named mms.cfg instead)

# These settings override any user settings with adobe's online setting manager.

AllowUserLocalTrust = 0   # Prevent user designating any sandboxed local system files as trusted

AssetCacheSize = 0        # Default 20 (mb), zero disables flash from storage of common flash components

AutoUpdateDisable = 0     # 0 allows flash to update itself and security updates, 1 disables

AutoUpdateInterval = 7    # Number of days between check for updates to flash plugin, 7 days is a bit
                                   # optimistic given adobe's update record

AVHardwareDisable = 1     # 1 Disables SWF files accessing Web cam and Microphone, set to 0 to allow

LegacyDomainMatching = 0  # Older and less secure (pre-version 6 flashplayer) functions disabled, 1 to enable

LocalFileLegacyAction = 0 # 0 Restricts less secure functions from flashplayer 7 and earlier from executing

LocalFileReadDisable = 1  # 1 Prevent SWF files having read access to files on local hard drives

LocalStorageLimit = 1     # 1 no storage, 2 10kb, 3 100kb, 4 1mb, 5 10mb, 6 User specifies upper limit (default)

FileDownloadDisable = 0   # If set to 0 files never download without user approval, 1 disables download completely

FileUploadDisable = 0     # If set to 0 files never upload without user approval, 1 breaks sites like megaupload
                                 # which use this flash feature to upload files the user selects.

ThirdPartyStorage = 0    # Set to 1 to allow third party locally persistent shared objects (LSOs)

DisableDeviceFontEnumeration = 1   # 1 Prevent information on installed fonts being displayed

WindowlessDisable = 1    # Floaty Flash ad banners bugging you?, apparently this setting stops them.
                                  # This also blocks some transparent or opaque elements, so could be un-desireable
                                  # Set to 0 to allow WMode windowless elements

Copy the above code into notepad, save the file as mms.cfg (dont forget about the extension .cfg - if you have not enabled being able to see them you will instead be saving a file called mms.cfg.txt which will not work)

… and save it into C:\Windows\System32\Macromed\Flash\ <<-- in here

Being an admin file for Flash, any user of the same computer will be affected by the restrictions imposed on flash by the mms.cfg file - No matter what they set in the online settings manager :slight_smile:

Easier still - Dont install flash ( I mean thats why you wanted a privacy/security respecting browser in the first place right?, if not you may aswell just use google chrome instead of Dragon, flash is far worse than google )

Doesn’t it help if you deselect the option to “Allow Third-Party Cookies”?

I think it helps if you blanket prevent both 3rd party AND local storage, and only enable on a per site basis - You have to be a bit granular.

But flash being a proprietary plugin that isnt really sandboxed has a few more tricks up its sleeve - Storage of any kind doesnt matter, with the amount and different types of ‘simultaneous’ realtime open communications it can establish with adobe / omniture / apps / flash games / every advertiser and his dog … they dont need it.

A ‘feature’ of flash player introduced over the last year was its ability to detect if the browser it was plugged into was in any kind of privacy or incognito mode - If it detects that then no matter what settings you try to impose, flash gives itself more memory allocation for temporary storage (so that it can better take advantage of the time in use, because local storage for recovery is effectively turned off)

They also changed the scripting method, actionscript is a new beast now which does not give any telltale indicators that it is in use at all.

For anyone reading this wondering what the implications are - Consider a scenario …

You grab a ( fluffy bunny / pinball game / cute app ) take your pick from sources unknown which uses flash.

Its been coded to take advantage of all the nice hidden features of flash which you have no clue about.

Now go log into your bank with that same browser - comfortable? :slight_smile:

Edit: Guys, have a good careful read of that pdf I linked above, then you will realise why Dragon does not include the flash plugin (unlike google). I think even though adobe are making steps towards sandboxing the plugin, it still does not respect fully the ideal as depicted in the google chrome comic

Also consider - Who guarantees your plugins/extensions do not break the permissions levels of any chrome variant you use ?

Nobody that I have seen. Even googles extensions site does not give any form of guarantee in that regard, they haven’t the time to go sifting through all the code of every app offered as a plugin. Its a bit wild west really.

PS - Anyone needs a pdf reader for the above - Try this open source one instead of adobe’s bloatware pdf reader.

Another tip I forgot to mention previously …

type the following address in your url bar


and press return. Be careful what you play with here.

Scroll down and find Click to Play

Click Enable once (it will change to Disable)

Now relaunch the browser.

Go to Options / Under The Hood, and click Content Settings

Scroll down to Plugins, you now have a new option Click to play. If you choose it, relaunch the browser again.

Now whenever a plugin is required to run the web page content, you can now choose to let it play instead of getting those annoying video ads automatically blaring in your face every where you go.

It works pretty much the same as the old firefox plugin flashblock does.
But … more importantly … you dont need another potentially badly written homebrew chrome extension to do the same job :slight_smile: