Date: Wed, 14 Mar 2001 04:59:22 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: roam@orbitel.bg (Peter Pentchev) Cc: freebsd-arch@FreeBSD.ORG Subject: Re: [PATCH] add a SITE MD5 command to ftpd Message-ID: <200103140459.VAA03061@usr05.primenet.com> In-Reply-To: <20010313211544.B17733@ringworld.oblivion.bg> from "Peter Pentchev" at Mar 13, 2001 09:15:44 PM
next in thread | previous in thread | raw e-mail | index | archive | help
> A recent thread about Bill Fenner's distfiles-checking scripts > set me thinking about easy detection of MD5 checksum mismatches. > Bill Fenner pointed out that these checks are not done because > of the sheer volume of the network traffic needed to download > all the distfiles from all the distsites. > > I know that adding a ``SITE MD5 filename'' command to our ftpd > is a *very* little step in a possibly wrong direction (this will > not automagically make all the ftp daemons on all the distsites > implement this command), but IMHO, it's a start.. I'm thinking > of adding similar functionality to wu-ftpd and ProFTPd soon, and > submitting patches to the authors, in the hope of starting a ball > rolling :) The point of the MD5 is to provide a locally uncorruptable, verifiable crosscheck between the image on a remote side and the contents of a local ports Makefile. People also use MD5 for inage verification; this only works when you can establish an SA (Security Association) between the value of the checksum and the signature, so that a binary with the same signature is considered valid. The DNS, sendmail, and other people normally do this by signing email containing the signature announcement. It seems to me that if Iwere to rely on a "SITE MD5 filename" command as my crosscheck, that it doesn't really matter what the real MD5 would be, if computed locally, the remote site can lie, and tell me that it's anything it wants to tell me, in order to get me to accept the validity of the binary. In other words, we are back to sites being trusted for their content, rather than a distrust of content. Indeed, I can see "Bob's super fast FTP daemon" (or whatever) using a cached list of filename/MD5 pairs to be able to more quickly answer such requests, should these things become popular, for some reason (per above, that reason won't be security, obviously). I can see this happening also for FTP servers which want to be able to handle higher loads, with the MD5 overhead reducing overall load that you could expect a server to handle. Clearly, "Cached Data Considered Harmful" very quickly comes into play here. So before doing this, ask yourself: 1) Why do we have MD5's at all, in the first place? 2) Does this new extension threaten that reason for them existing in the first place? Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103140459.VAA03061>