Return-Path: X-Original-To: apmail-flex-dev-archive@www.apache.org Delivered-To: apmail-flex-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C3FD417CCA for ; Sun, 8 Feb 2015 10:59:35 +0000 (UTC) Received: (qmail 92536 invoked by uid 500); 8 Feb 2015 10:59:35 -0000 Delivered-To: apmail-flex-dev-archive@flex.apache.org Received: (qmail 92472 invoked by uid 500); 8 Feb 2015 10:59:35 -0000 Mailing-List: contact dev-help@flex.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@flex.apache.org Delivered-To: mailing list dev@flex.apache.org Received: (qmail 40247 invoked by uid 99); 6 Feb 2015 22:59:35 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Feb 2015 22:59:35 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW X-Spam-Check-By: apache.org Received-SPF: error (athena.apache.org: local policy) Received: from [209.85.214.174] (HELO mail-ob0-f174.google.com) (209.85.214.174) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Feb 2015 22:59:30 +0000 Received: by mail-ob0-f174.google.com with SMTP id wo20so16041994obc.5 for ; Fri, 06 Feb 2015 14:56:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=rhkmE5xiHj2+kiRFDYcK484Zqo7YQmE5aHaufjDVU70=; b=eY1GHlrCEgjxDqtMqfMG/DIEJoOaYa0VYqJPM3qmZAjIR4Uq3vT5hg/1OO2N+052Pg svH9jhQKVC+/vV5xSPwQqY31r55f2/++UFmKYd+BZJsJJm9VatHHUouWESu3Zep15ICR GObtrFh5kiqaJZzcVz2z5HJ2TSDEou8wSUg8P+EO4G+WaxoZcaA6RQTiYaXWki/dQyYw PclsfA7a30HpwQdqE7xBt/i/hAglUXnuYRhWolvWjEU2lx66VjegQF2T0Ywph3JHb1ps MJVLNDkBwqJAN13LHsu5lUIqytQvASP3gfozCWhMqqPFkD15hOdsGFqmLeQNEzAmeT6P 15Uw== X-Gm-Message-State: ALoCoQnQjDYbvo4f7EOQm5VPRKGlML14lfHKJy4Vd/qCATaHnUXDlH0AQTXI1zBu39fMwCQRhOEz MIME-Version: 1.0 X-Received: by 10.202.66.136 with SMTP id p130mr1600483oia.110.1423263393945; Fri, 06 Feb 2015 14:56:33 -0800 (PST) Received: by 10.202.56.198 with HTTP; Fri, 6 Feb 2015 14:56:33 -0800 (PST) X-Originating-IP: [173.10.39.57] In-Reply-To: References: <54D23B00.20300@extravision.com> <54D2434A.2070103@gmail.com> <54D4853C.9080407@extravision.com> Date: Fri, 6 Feb 2015 17:56:33 -0500 Message-ID: Subject: Re: [Installer - FLEX-34251] Is SSK needed for load installer config? From: Nicholas Kwiatkowski To: dev@flex.apache.org Content-Type: multipart/alternative; boundary=001a113d65d204ad94050e7355e6 X-Virus-Checked: Checked by ClamAV on apache.org --001a113d65d204ad94050e7355e6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Ok. Digging into this a bit more, the only time we will ever use HTTPS is during the Installer Config download and the MD5s. No reason why we need to be tunneling the Installer Config through HTTPS. All it contains is localization strings for the current version. MD5 paths (and all paths, really) are stored on the Apache DIST server, and is pulled down via HTTP. MD5s are actually pulled down using HTTPS, again at the Apache DIST server. This is valuable to protect via HTTPS. None of the Apache mirrors are serving files via HTTPS (if they are, they aren't telling Apache about it -- or Apache isn't cataloging it). Since nothing larger than 4k is being transferred over https, we don't have to worry about using a raw https session that screws with TCP Window sizes (essentially, if you try to create TCP packets too large in one shot, you will get fragments, which causes major overhead and can cause the download/upload speed to decrease by 60%). The proxy thing would still need to be addressed -- but those are becoming more and more rare. No idea how many people still use a proxy server, but they would be affected by this unless we offer a configuration option for it. On a side note -- if we are really worried about Man-In-The-Middle attacks, the two things we should be protecting are the initial configuration download (http://flex.apache.org/installer/sdk-installer-config-4.0.xml) and the MD5s. Everything else is checked via checksums, so we are safe there. We currently don't pull the sdk-installer-config-4.0.xml file off HTTPS, and maybe we should. I'd vote for dropping /dist/flex/4.14.0/binaries/apache-flex-sdk-installer-config.xml from being pulled over https. I have some time to implement the as3httpdlib this weekend if that is the direction we want to go. -Nick On Fri, Feb 6, 2015 at 11:16 AM, OmPrakash Muppirala wrote: > On Feb 6, 2015 7:37 AM, "Alex Harui" wrote: > > > > > > > > On 2/6/15, 1:11 AM, "Tom Chiverton" wrote: > > > > >On 05/02/15 16:56, Alex Harui wrote: > > >> What do others think? IMO, for 3.2 we should just do the swap of an > AS3 > > >> native HTTP implementation and not switch our urls to HTTP or add so= me > > >> checkbox. Then we can get better data on how many problems that > change > > >> solved or if it introduces new issues. Not that I=E2=80=99m volunte= ering to > do > > >> that work. > > >I vote for doing this. As you say, there's a chance everything will Ju= st > > >Work with it. > > > > Well, Nick is saying there will be other issues. Om, have you run into > > the issues Nick brings up? > > > > No, I have not. But I've never had to deal with large downloads using th= is > library. In any case, I still think we should give it a try. > > Thanks, > Om > > > -Alex > > > --001a113d65d204ad94050e7355e6--