Talking about security, I think there is nothing being done to prevent man-in-the-middle for JS libraries hosted by Google for example, so it does not seem to be an issue even if JS is plain text and easier to manipulate (I did not hear about such an attack). Is the RSL issue we are talking about a real issue?
Haykel On 20 February 2012 16:47, Paul Evans <paulev...@creative-cognition.co.uk>wrote: > > On 20 Feb 2012, at 15:30, Haykel BEN JEMIA wrote: > > >> Although: I suspect with effort, it is possible for suitably skilled for > >> man-in-the-middle attacker to intercept the loader SWF and replace the > >> byte-code storing the MD5 values their own and still inject badLibrary. > > What about storing the data as an embedded octet-streams instead of > strings? > > I am not sure that changes very much. If the validation bytes, whether > stored as a string, octet or otherwise are a static sequence of bytes, > established when the official library is compiled, then I think our > notional attackers could match the pattern and substitute their own. > >
