>more specifically... If attacker succeeds in the above, every app that wants >to use the same library version is compromised by that browser cache even >after leaving the 'man-in-the-middle' compromised network.
I am not going to hold my breath on this, but the way to avoid this would be to have adobe host a minimal-sized, signed rsl, that contained our hashes. Then we have the hashes with a level of confidence. Mike
