I'm not a security expert either, but doesn't https stop a man-in-the-middle attack?
So the only way to cause you to download the wrong thing is to compromise gwtproject.org, in which case they could just put the sha1 for their altered file on there. That's much easier than creating an alternative download with the same sha1 as the original file. Paul On 11 Jul 2017 11:42 am, "salk31" <[email protected]> wrote: > I think Bob has a point. I don't think HTTPS helps that much. Isn't the > issue that somebody could generate a new binary that has a SHA1 that > matches the real binary? > > > On Wednesday, July 5, 2017 at 10:30:24 PM UTC+1, Thomas Broyer wrote: >> >> This is not wrong, but not a real vulnerability either I believe, if only >> because, to begin with, downloads are made through HTTPS. >> (Don't take my words for granted though, I'm not a security expert) >> >> Wrt your first question, have a look at http://www.gwtproject.org/maki >> nggwtbetter.html >> You could post to the GWT Contributors group, or file an issue on >> gwtproject/gwt. >> > -- > You received this message because you are subscribed to the Google Groups > "GWT Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/google-web-toolkit. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-web-toolkit. For more options, visit https://groups.google.com/d/optout.
