To fill in some gaps. An MD5 or SHA256 hash does not provide real security and it can't prevent Man in the middle attack. Here is why:
To validate a HASH you must have a "valid" HASH value to compare against. The issue is... if you don't trust the RSL, how do you trust the HASH value you are comparing against? If the RSL's can be intercepted and swapped, so can the HASH values you are comparing against. This is where signing comes in handy. Validation using signing still revolves around a HASH, but in theory you can actually trust the HASH. The HASH is encrypted with a PRIVATE key that only Apache.org has, the public key is publicly available. You can then decrypt the HASH, with the public key. The resulting value is then checked against the HASH from the download RSL, if it matches then all is OK, thus preventing the man in the middle attack. All this can be done with AS3. Performance although not amazing, I would now consider it a dealbreaker, it will certainly take a lot less time to validated, than to download. So if Apache.org can have a Private key, that only very few people have access to... then yeah, Apache Flex can have their own signed RSLs that can be validated through AS3. Arturo Alvarado
