ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Other Software > Developer's Corner

md5 / sha1 hashes What's the point?

(1/3) > >>

I sometimes see md5/sha1 hashes available to check programs/isos against. What is the point of them?

I know they can be used to verify that the program/software was downloaded without crc errors, but any good installer checks its contents for this before installing, and I've not had any crc errors for years in downloads. Hashes supposedly can tell you if the file has been tampered with, as I read the other day where an author's downloads were manipulated and they said: Always check your hashes. However surely it's trivial to change the webpage where the hash is listed or the hash file itself? How do you know that the person that made the installer and the hash file are the same person and are in fact the correct author of the download? So in my view it's not any help in this area either.

I must be missing something, so I ask: what is a good use of these hashes?

Hashes are a poor mans tampering/correctness test, as you said. It is mostly useful when the downloads are located on a different system than the actual announcement place.

If you want real security, you sign the package to get cryptographic blahblah on your side. Or maybe you can just sign the hash. I'm unsure, to be honest. :)

But yeah, the real use for them has eluded me too. Automated integrity tests seem like the only use to me.

I think they serve several purposes.

First, your point is correct, that if someone is hosting files on a web server and serving web pages from the same server, someone who could modify the files for download could also modify the displayed hash values.

However, in this case the author and others would presumably NOTICE that the web page hash values had suddenly changed.  So it would greatly increase the chance that the manipulation was noticed.

But more importantly -- it's quite common for large companies that use these kinds of hashes (Microsoft, etc.) to post the hash values for a download in multiple places on multiple servers.  And that's where the real security comes from.  Because it means that it's not practical for someone to manipulate the previously released distributed information about hash values.

Even if you are just an independent developer, you could simply post the hash values of an important file on a few forums, etc.  That would make it impractical for anyone to be able to manipulate those public hash values.  

In security lingo, this general concept of having a secondary channel of information that won't be vulnerable even if the main channel is tampered with is known as: out-of-band.

However, in this case the author and others would presumably NOTICE that the web page hash values had suddenly changed.  So it would greatly increase the chance that the manipulation was noticed.
-mouser (July 20, 2011, 03:44 AM)
--- End quote ---

It would be the 'others' more-so than the author, and not because the hash value changed but because the software acts up. As you say in the paragraph following that one, the original hash being posted as multiple locations is where the safety comes from - not from people mysteriously noticing a random string of hexadecimal digits changed.

You most likely can't even tell the first letter of the hash of the current release of some program, even if it were the only one you offer. Hell, if got hacked and someone put an innocent <!-- mouser is a mouserer! --> in the source of a specific page - would you notice? :)

Your point makes sense mouser, and this is the first time I heard about posting hash files in multiple places. Who ever checks that hashes are identical in multiple locations though before checking the download hash matches it? If that is what is required then I think the practicality of someone correctly using hashes is close to zero. How does someone know the other locations that store the hash file? A hacker could simple change the link to another site it controls, so now you need to verify the locations as well as the hash files. *head explodes*


[0] Message Index

[#] Next page

Go to full version