Return-Path: X-Original-To: apmail-incubator-flex-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-flex-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2906A90EC for ; Mon, 20 Feb 2012 12:55:46 +0000 (UTC) Received: (qmail 17413 invoked by uid 500); 20 Feb 2012 12:55:45 -0000 Delivered-To: apmail-incubator-flex-dev-archive@incubator.apache.org Received: (qmail 17375 invoked by uid 500); 20 Feb 2012 12:55:45 -0000 Mailing-List: contact flex-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: flex-dev@incubator.apache.org Delivered-To: mailing list flex-dev@incubator.apache.org Received: (qmail 17366 invoked by uid 99); 20 Feb 2012 12:55:45 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Feb 2012 12:55:45 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [213.175.222.94] (HELO brutha.creative-cognition.net) (213.175.222.94) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Feb 2012 12:55:37 +0000 Received: from helius.demon.co.uk ([80.177.3.26] helo=[192.168.0.5]) by brutha.creative-cognition.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1RzSlx-0003TC-0Z for flex-dev@incubator.apache.org; Mon, 20 Feb 2012 12:55:17 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1257) Subject: Re: Signed RSL from Apache From: Paul Evans In-Reply-To: <6F473191-BEBC-419B-B19D-4BB4191177EA@creative-cognition.co.uk> Date: Mon, 20 Feb 2012 12:55:14 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <907C09B9-E8E5-4197-AE77-A26494EC7E09@creative-cognition.co.uk> References: <05b201ccefb3$64f95cb0$2eec1610$@davidarno.org> <05c501ccefb5$a6951950$f3bf4bf0$@davidarno.org> <4FBB9E17-C536-44F6-9FDC-0BE0AF86646C@creative-cognition.co.uk> <001501ccefc5$e8628bf0$b927a3d0$@davidarno.org> <6F473191-BEBC-419B-B19D-4BB4191177EA@creative-cognition.co.uk> To: flex-dev@incubator.apache.org X-Mailer: Apple Mail (2.1257) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - brutha.creative-cognition.net X-AntiAbuse: Original Domain - incubator.apache.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - creative-cognition.co.uk On 20 Feb 2012, at 12:41, Paul Evans wrote: > * Can I 'man-in-the-middle' and inject badLibrary with corresponding = md5 to make it look good - i.e. spoof the central repository > * can i get a badLoader into the application more specifically... If attacker succeeds in the above, every app that = wants to use the same library version is compromised by that browser = cache even after leaving the 'man-in-the-middle' compromised network.