[Box Backup] Small suggestion
Dennis Speekenbrink
boxbackup@fluffy.co.uk
Wed, 27 Jul 2005 18:12:07 +0200
Ben Summers wrote:
> This is deliberate. Publishing an MD5 sum of a file on the same
> server which serves that file (or a "connected" server) is a false
> sense of security. If an attacker can modify the distribution file,
> they can also modify the MD5 sum on the web page.
True, but I assumed the sourceforge download/mirror system was not
connected in such a way to the Box Backup home page. I guess that if
the downloads offered by SourceForge are coming from the same server as
the homepage, than my suggestion is only halfway safe (and therefore may
do more harm than good).
> Only trust MD5 sums from independent people who have personally
> verified the sources. And even then, look closely. Or better still,
> verify the source yourself.
Right you are. Even then, publishing MD5 sums on "disconnected" sites
helps nothing against man-in-the-middle-attacks (if an intruder has
taken over my local proxy/gateway/etc he/she could modify both the site
as it appears to me, as well as the downloaded source), but it does give
a little extra sanity check.
The thought just occurred to me as I was downloading the source, I've
got no reason to suspect that anything is wrong with my local copy.
I'll verify the code myself for as far as my capabilities go, if only
for educational purposes.
I'll also fire off an off-list mail to request the MD5 sum.
Thanks,
Dennis