I'm not a security expert either, but doesn't https stop a man-in-the-middle attack?
So the only way to cause you to download the wrong thing is to compromise gwtproject.org, in which case they could just put the sha1 for their altered file on there. That's much easier than creating an alternative download with the same sha1 as the original file.
Paul
On 11 Jul 2017 11:42 am, "salk31" <salk31@gmail.com> wrote:
I think Bob has a point. I don't think HTTPS helps that much. Isn't the issue that somebody could generate a new binary that has a SHA1 that matches the real binary?--
On Wednesday, July 5, 2017 at 10:30:24 PM UTC+1, Thomas Broyer wrote:This is not wrong, but not a real vulnerability either I believe, if only because, to begin with, downloads are made through HTTPS.
(Don't take my words for granted though, I'm not a security expert)Wrt your first question, have a look at http://www.gwtproject.org/maki
nggwtbetter.html
You could post to the GWT Contributors group, or file an issue on gwtproject/gwt.
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com .
To post to this group, send email to google-web-toolkit@googlegroups.com .
Visit this group at https://groups.google.com/group/google-web-toolkit .
For more options, visit https://groups.google.com/d/optout .
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment