Hi, we have a Flex-application that runs in HTTP-domain and makes RPC-calls to Tomcat based on HTTPS. That means our Flex-client is not secured by SSL but Java services are. We thought that this would be enough because the Flex client itself does not contain any sensitive data (and, by our logic, the AMF would be secured by securing the Java services).
However, the crossdomain policy file specification says that this is not a good way to do things, because we risk the man-in-the-middle attack. (Spec can be found here: http://learn.adobe.com/wiki/download/attachments/64389123/CrossDomain_PolicyFile_Specification.pdf?version=1) To me, this rises a question: is the Flex-application sending the data unencrypted to the server nevertheless the SSL we have on the server? If this is the case, in which point does the encryption take place? And moreover, how vulnerable this kind of solution is? Is it the same not to use HTTPS at all? If you have any insight, please comment. Cheers, Jukka