flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Evans <paulev...@creative-cognition.co.uk>
Subject Re: Signed RSL from Apache
Date Mon, 20 Feb 2012 17:10:08 GMT

On 20 Feb 2012, at 16:56, Omar Gonzalez wrote:

> 1.) security and 2.) Flash Player RSL caching at a global
> level (all domains),

> Having Apache host RSLs would help us to
> resolve #1 as Adobe will no longer host our RSLs. I hope that's clear and
> that I've gotten that all correct, someone correct me if I'm wrong here
> please.

RE #1, much this afternoon's discussion has been that unless they are signed or can in some
other secure way authenticated at runtime, then #2 is likely unviable due to exposure to a
'man-in-the-middle' which issue Alex eluded to back in january:

On 5 Jan 2012, at 17:15, Alex Harui wrote:

> There are no plans at this time to host RSLs somewhere.  It might be
> possible if we get enough support for it.  However, they won't be signed and
> I'm concerned about the security implications of that.  I'm not a security
> expert, but I believe unsigned RSLs will leave you exposed to a
> man-in-the-middle attack, at that alone might be sufficient to kill any
> momemtum for a central place to pick up RSLs.

View raw message