flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicholas Kwiatkowski <nicho...@spoon.as>
Subject Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Date Fri, 06 Feb 2015 22:56:33 GMT
Ok.  Digging into this a bit more, the only time we will ever use HTTPS is
during the Installer Config download and the MD5s.

No reason why we need to be tunneling the Installer Config through HTTPS.
All it contains is localization strings for the current version.  MD5 paths
(and all paths, really) are stored on the Apache DIST server, and is pulled
down via HTTP.

MD5s are actually pulled down using HTTPS, again at the Apache DIST
server.  This is valuable to protect via HTTPS.

None of the Apache mirrors are serving files via HTTPS (if they are, they
aren't telling Apache about it -- or Apache isn't cataloging it).

Since nothing larger than 4k is being transferred over https, we don't have
to worry about using a raw https session that screws with TCP Window sizes
(essentially, if you try to create TCP packets too large in one shot, you
will get fragments, which causes major overhead and can cause the
download/upload speed to decrease by 60%).  The proxy thing would still
need to be addressed -- but those are becoming more and more rare.  No idea
how many people still use a proxy server, but they would be affected by
this unless we offer a configuration option for it.

On a side note -- if we are really worried about Man-In-The-Middle attacks,
the two things we should be protecting are the initial configuration
download (http://flex.apache.org/installer/sdk-installer-config-4.0.xml)
and the MD5s.  Everything else is checked via checksums, so we are safe
there.  We currently don't pull the sdk-installer-config-4.0.xml file off
HTTPS, and maybe we should.  I'd vote for dropping
/dist/flex/4.14.0/binaries/apache-flex-sdk-installer-config.xml from being
pulled over https.

I have some time to implement the as3httpdlib this weekend if that is the
direction we want to go.


On Fri, Feb 6, 2015 at 11:16 AM, OmPrakash Muppirala <bigosmallm@gmail.com>

> On Feb 6, 2015 7:37 AM, "Alex Harui" <aharui@adobe.com> wrote:
> >
> >
> >
> > On 2/6/15, 1:11 AM, "Tom Chiverton" <tc@extravision.com> wrote:
> >
> > >On 05/02/15 16:56, Alex Harui wrote:
> > >> What do others think?  IMO, for 3.2 we should just do the swap of an
> AS3
> > >> native HTTP implementation and not switch our urls to HTTP or add some
> > >> checkbox.  Then we can get better data on how many problems that
> change
> > >> solved or if it introduces new issues.  Not that I’m volunteering to
> do
> > >> that work.
> > >I vote for doing this. As you say, there's a chance everything will Just
> > >Work with it.
> >
> > Well, Nick is saying there will be other issues.  Om, have you run into
> > the issues Nick brings up?
> >
> No, I have not.  But I've never had to deal with large downloads using this
> library.  In any case, I still think we should give it a try.
> Thanks,
> Om
> > -Alex
> >

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message