incubator-flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Evans <paulev...@creative-cognition.co.uk>
Subject Re: Signed RSL from Apache
Date Mon, 20 Feb 2012 15:47:56 GMT

On 20 Feb 2012, at 15:30, Haykel BEN JEMIA wrote:

>> Although: I suspect with effort, it is possible for suitably skilled for
>> man-in-the-middle attacker to intercept the loader SWF and replace the
>> byte-code storing the MD5 values their own and still inject badLibrary.
> What about storing the data as an embedded octet-streams instead of strings?

I am not sure that changes very much. If the validation bytes, whether stored as a string,
octet or otherwise are a static sequence of bytes, established when the official library is
compiled, then I think our notional attackers could match the pattern and substitute their
own.


Mime
View raw message