flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Evans <paulev...@creative-cognition.co.uk>
Subject Re: Signed RSL from Apache
Date Mon, 20 Feb 2012 12:55:14 GMT

On 20 Feb 2012, at 12:41, Paul Evans wrote:

> * Can I 'man-in-the-middle' and inject badLibrary with corresponding md5 to make it look
good - i.e. spoof the central repository
> * can i get a badLoader into the application

more specifically... If attacker succeeds in the above, every app that wants to use  the same
library version is compromised by that browser cache even after leaving the 'man-in-the-middle'
compromised network.

View raw message