incubator-flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Evans <>
Subject Re: Signed RSL from Apache
Date Mon, 20 Feb 2012 12:41:18 GMT

On 20 Feb 2012, at 11:50, David Arno wrote:

> If we generate MD5 hashes for the SDK SWCs,
> then the loader could check those hashes on load. Would that not be secure
> enough, or is there a flaw in that idea?

i don't know enough about security, but in probing for flaws in that idea I'd approach from:

* what happens if an application can't reach the central md5 store?
* Can I 'man-in-the-middle' and inject badLibrary with corresponding md5 to make it look good
- i.e. spoof the central repository
* can i get a badLoader into the application


View raw message