[Box Backup] Small suggestion

Ben Summers boxbackup at fluffy.co.uk
Wed Jul 27 17:19:11 BST 2005


On 27 Jul 2005, at 17:12, Dennis Speekenbrink wrote:

> Ben Summers wrote:
>
>
>> This is deliberate. Publishing an MD5 sum of a file on the same   
>> server which serves that file (or a "connected" server) is a  
>> false  sense of security. If an attacker can modify the  
>> distribution file,  they can also modify the MD5 sum on the web page.
>>
>
> True, but I assumed the sourceforge download/mirror system was not  
> connected in such a way to the Box Backup home page.  I guess that  
> if the downloads offered by SourceForge are coming from the same  
> server as the homepage, than my suggestion is only halfway safe  
> (and therefore may do more harm than good).

I have access to both my server and the SourceForge one. While you  
can personally evaluate the security of my code, you can't personally  
evaluate the security of me as an individual.

I suppose this is a principled stand, but I really think posting and  
MD5 sum on your web pages is silly. And we should be using SHA-256  
now, given the issues with older hashes.

>
>
>> Only trust MD5 sums from independent people who have personally   
>> verified the sources. And even then, look closely. Or better  
>> still,  verify the source yourself.
>>
>
> Right you are.  Even then, publishing MD5 sums on "disconnected"  
> sites helps nothing against man-in-the-middle-attacks (if an  
> intruder has taken over my local proxy/gateway/etc he/she could  
> modify both the site as it appears to me, as well as the downloaded  
> source), but it does give a little extra sanity check.

Well quite. How paranoid are you?

> The thought just occurred to me as I was downloading the source,  
> I've got no reason to suspect that anything is wrong with my local  
> copy.
> I'll verify the code myself for as far as my capabilities go, if  
> only for educational purposes.
>
> I'll also fire off an off-list mail to request the MD5 sum.

:-)

Ben







More information about the Boxbackup mailing list