Ok. Digging into this a bit more, the only time we will ever use HTTPS is during the Installer Config download and the MD5s.
No reason why we need to be tunneling the Installer Config through HTTPS. All it contains is localization strings for the current version. MD5 paths (and all paths, really) are stored on the Apache DIST server, and is pulled down via HTTP. MD5s are actually pulled down using HTTPS, again at the Apache DIST server. This is valuable to protect via HTTPS. None of the Apache mirrors are serving files via HTTPS (if they are, they aren't telling Apache about it -- or Apache isn't cataloging it). Since nothing larger than 4k is being transferred over https, we don't have to worry about using a raw https session that screws with TCP Window sizes (essentially, if you try to create TCP packets too large in one shot, you will get fragments, which causes major overhead and can cause the download/upload speed to decrease by 60%). The proxy thing would still need to be addressed -- but those are becoming more and more rare. No idea how many people still use a proxy server, but they would be affected by this unless we offer a configuration option for it. On a side note -- if we are really worried about Man-In-The-Middle attacks, the two things we should be protecting are the initial configuration download (http://flex.apache.org/installer/sdk-installer-config-4.0.xml) and the MD5s. Everything else is checked via checksums, so we are safe there. We currently don't pull the sdk-installer-config-4.0.xml file off HTTPS, and maybe we should. I'd vote for dropping /dist/flex/4.14.0/binaries/apache-flex-sdk-installer-config.xml from being pulled over https. I have some time to implement the as3httpdlib this weekend if that is the direction we want to go. -Nick On Fri, Feb 6, 2015 at 11:16 AM, OmPrakash Muppirala <bigosma...@gmail.com> wrote: > On Feb 6, 2015 7:37 AM, "Alex Harui" <aha...@adobe.com> wrote: > > > > > > > > On 2/6/15, 1:11 AM, "Tom Chiverton" <t...@extravision.com> wrote: > > > > >On 05/02/15 16:56, Alex Harui wrote: > > >> What do others think? IMO, for 3.2 we should just do the swap of an > AS3 > > >> native HTTP implementation and not switch our urls to HTTP or add some > > >> checkbox. Then we can get better data on how many problems that > change > > >> solved or if it introduces new issues. Not that I’m volunteering to > do > > >> that work. > > >I vote for doing this. As you say, there's a chance everything will Just > > >Work with it. > > > > Well, Nick is saying there will be other issues. Om, have you run into > > the issues Nick brings up? > > > > No, I have not. But I've never had to deal with large downloads using this > library. In any case, I still think we should give it a try. > > Thanks, > Om > > > -Alex > > >
