> From: Paul Evans [mailto:paulev...@creative-cognition.co.uk] > Sent: 20 February 2012 12:41
> i don't know enough about security, but in probing for flaws in that idea I'd approach from: I don't know much about security either. Thus why I'm questioning whether it can be done, rather than just suggesting we do it :) > * what happens if an application can't reach the central md5 store? I wouldn't anticipate there being a central md5 store. The md5 values would need to be compiled into the loader I would have thought. The loader then compares the computed checksum of the fetched RSL with what it was expecting. > * Can I 'man-in-the-middle' and inject badLibrary with corresponding > md5 to make it look good - i.e. spoof the central repository As long as the md5's aren't fetched from a remote source, then I don't think this should be an issue. > * can i get a badLoader into the application Probably. After all, what happens if someone spoofs the apache flex download site and provides a dodgy version of the SDK? But that's a whole different issue. David.
