Comment 0 for bug 1320312

When juju is fetching simple streams metadata for images and tools, it appears to look for a signed file (.sjson) first, and falls back to an unsigned one (.json). This process seems susceptible to man-in-the-middle attacks. An attacker could intercept juju's request for a .sjson file and return a 404, then return a malicious .json file on the fallback request.