Thursday, March 24, 2011

Why doesn't Adobe understand?

Web browsers are too complex. Adobe's Flash is a case in point. There is no way to have that much stuff going on in a browser and keep it secure.

So it was no surprise yesterday to log in to the family playing-around account and see that it was complaining that the installed Flash was, heh, strongly recommended to be updated.

So I went over to Adobe and downloaded it. Used Google's site search to look for the checksums, since they were shy about posting them on the download page. Neither hide nor hair of a checksum since version 9.

Why should they have checksums posted, since they use no mirrors, and if you can't trust their download site, well, why would you risk downloading it in the first place?

Excellent question. Here's the excellent answer:

The checksums should be hosted on a separate server from the download server farm. Then an intruder would have to get into more than one server to do damage without leaving visible evidence of the damage.

(The not-so-excellent answer is, I'd rather not, but my children insist.)

So, first, I log into a console (not X11 graphical) as root. Then I switch to the graphical login screen and log into an account which I never use to go to sites with lots of ads, or other sites I think blackhat types are liable to leave their spore. (Yeah, there's a bit of probability involved, here.)

This account does not have messy stuff like Flash installed, of course.

I download the newest, shiniest Flash plugin from Adobe. Then I moved the downloaded file up to the top level of the user directory,

/home/safeuser

Then I switch back to the root console. (Sometimes use an admin user, using sudo, instead of using root directly, actually, depends on the day.) Then

mv /home/safeuser/install_flash_player_10_linux.tar.gz /home/adminuser

for safekeeping. And

cd /home/user/.mozilla/plugins
tar xzf /home/adminuser/install_flash_player_10_linux.tar.gz
chown user:user libflashplayer.so

Heres the result of a ls -l :

-rw-rw-r--. 1 user user 12127284 Mar 11 12:33 libflashplayer.so


And here's the SHA256 checksum I'm calculating on what I just downloaded (the March 11, 2011 version):


57889f6cf023927fbf50ca4d7496c0e2aa1eabad76120a18c8e4b7be57e9aaf9  install_flash_player_10_linux.tar.gz

(I need to try to fix the formatting on that.)