incubator-flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Arno" <da...@davidarno.org>
Subject RE: Signed RSL from Apache
Date Mon, 20 Feb 2012 13:19:24 GMT
> From: Paul Evans [mailto:paulevans@creative-cognition.co.uk] 
> Sent: 20 February 2012 12:41

> i don't know enough about security, but in probing for flaws in that idea
I'd approach from:
I don't know much about security either. Thus why I'm questioning whether it
can be done, rather than just suggesting we do it :)

> * what happens if an application can't reach the central md5 store?
I wouldn't anticipate there being a central md5 store. The md5 values would
need to be compiled into the loader I would have thought. The loader then
compares the computed checksum of the fetched RSL with what it was
expecting.

> * Can I 'man-in-the-middle' and inject badLibrary with corresponding 
> md5 to make it look good - i.e. spoof the central repository
As long as the md5's aren't fetched from a remote source, then I don't think
this should be an issue.

> * can i get a badLoader into the application
Probably. After all, what happens if someone spoofs the apache flex download
site and provides a dodgy version of the SDK? But that's a whole different
issue.

David.


Mime
View raw message