incubator-flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicholas Kwiatkowski <>
Subject Re: Signed RSL from Apache
Date Mon, 20 Feb 2012 20:00:55 GMT
wouldn't that be essentially the same as them "blessing" our framework,
which is something they were unwilling to do in the first place?  From what
I remember, that is the entire beef they had -- they didn't want to say
that our framework was worthy of an RSL, unless it went through their
security review first.


On Mon, Feb 20, 2012 at 8:24 AM, Michael A. Labriola <> wrote:

> >more specifically... If attacker succeeds in the above, every app that
> wants to use  the same library version is compromised by that browser cache
> even after leaving the 'man-in-the-middle' compromised network.
> I am not going to hold my breath on this, but the way to avoid this would
> be to have adobe host a minimal-sized, signed rsl, that contained our
> hashes. Then we have the hashes with a level of confidence.
> Mike

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message