[Box Backup] Small suggestion
Ben Summers
boxbackup@fluffy.co.uk
Wed, 27 Jul 2005 16:36:51 +0100
On 27 Jul 2005, at 16:21, Dennis Speekenbrink wrote:
> Hi everyone,
>
> Just a small idea:
> Would it be possible to post the MD5 sum of the current version on
> the Box Backup homepage? This adds just a little extra security to
> the whole mirroring system.
> I couldn't find it on fluffy.co.uk or on sourceforge.net
This is deliberate. Publishing an MD5 sum of a file on the same
server which serves that file (or a "connected" server) is a false
sense of security. If an attacker can modify the distribution file,
they can also modify the MD5 sum on the web page.
Such things are only useful in completely independent systems, such
as port systems which verify the files they download.
I would mention the MD5 sum in this email, but someone could have
forged it. A better way is to email me to ask for it, and check that
my reply includes your original text, but it's still only marginally
better because the source is still the source of the original file
and a hacker could have intercepted the email.
Only trust MD5 sums from independent people who have personally
verified the sources. And even then, look closely. Or better still,
verify the source yourself.
Ben