Return-Path: X-Original-To: apmail-incubator-flex-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-flex-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A3424955D for ; Mon, 20 Feb 2012 13:53:29 +0000 (UTC) Received: (qmail 81114 invoked by uid 500); 20 Feb 2012 13:53:29 -0000 Delivered-To: apmail-incubator-flex-dev-archive@incubator.apache.org Received: (qmail 81078 invoked by uid 500); 20 Feb 2012 13:53:29 -0000 Mailing-List: contact flex-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: flex-dev@incubator.apache.org Delivered-To: mailing list flex-dev@incubator.apache.org Received: (qmail 81069 invoked by uid 99); 20 Feb 2012 13:53:29 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Feb 2012 13:53:29 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [213.175.222.94] (HELO brutha.creative-cognition.net) (213.175.222.94) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Feb 2012 13:53:20 +0000 Received: from helius.demon.co.uk ([80.177.3.26] helo=[192.168.0.5]) by brutha.creative-cognition.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1RzTfn-0003dG-Tr for flex-dev@incubator.apache.org; Mon, 20 Feb 2012 13:52:59 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1257) Subject: Re: Signed RSL from Apache From: Paul Evans In-Reply-To: <00b101ccefd2$4406aac0$cc140040$@davidarno.org> Date: Mon, 20 Feb 2012 13:52:57 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: References: <05b201ccefb3$64f95cb0$2eec1610$@davidarno.org> <05c501ccefb5$a6951950$f3bf4bf0$@davidarno.org> <4FBB9E17-C536-44F6-9FDC-0BE0AF86646C@creative-cognition.co.uk> <001501ccefc5$e8628bf0$b927a3d0$@davidarno.org> <6F473191-BEBC-419B-B19D-4BB4191177EA@creative-cognition.co.uk> <00b101ccefd2$4406aac0$cc140040$@davidarno.org> To: flex-dev@incubator.apache.org X-Mailer: Apple Mail (2.1257) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - brutha.creative-cognition.net X-AntiAbuse: Original Domain - incubator.apache.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - creative-cognition.co.uk X-Virus-Checked: Checked by ClamAV on apache.org On 20 Feb 2012, at 13:19, David Arno wrote: >> * can i get a badLoader into the application > Probably. After all, what happens if someone spoofs the apache flex = download > site and provides a dodgy version of the SDK? But that's a whole = different > issue. Yeah, though signed RSLs currently protect any app which uses them from = being compromised by browser-cached libraries from otherApp based on a = dodgy sdk. Question is, can the proposed goodLoader do similar without itself being = compromised? I hope so - it sounds promising. Although: I suspect with effort, it is possible for suitably skilled for = man-in-the-middle attacker to intercept the loader SWF and replace the = byte-code storing the MD5 values their own and still inject badLibrary. Sorry - still thinking up problems rather than solutions.=