flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Evans <paulev...@creative-cognition.co.uk>
Subject Re: Signed RSL from Apache
Date Mon, 20 Feb 2012 13:52:57 GMT

On 20 Feb 2012, at 13:19, David Arno wrote:

>> * can i get a badLoader into the application
> Probably. After all, what happens if someone spoofs the apache flex download
> site and provides a dodgy version of the SDK? But that's a whole different
> issue.

Yeah, though signed RSLs currently protect any app which uses them from being compromised
by browser-cached libraries from otherApp based on a dodgy sdk.

Question is, can the proposed goodLoader do similar without itself being compromised? I hope
so - it sounds promising.

Although: I suspect with effort, it is possible for suitably skilled for man-in-the-middle
attacker to intercept the loader SWF and replace the byte-code storing the MD5 values their
own and still inject badLibrary.

Sorry - still thinking up problems rather than solutions.
View raw message