Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 9 Oct 2002 12:36:02 -0700
From:      Kris Kennaway <kris@freebsd.org>
Cc:        Mike Tancsa <mike@sentex.net>, Erick Mechler <emechler@techometer.net>, security@FreeBSD.ORG
Subject:   Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI
Message-ID:  <20021009193602.GG84472@xor.obsecurity.org>
In-Reply-To: <20021009193436.GF84472@xor.obsecurity.org>
References:  <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com> <4.3.2.7.2.20021008174734.029e9e00@localhost> <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com> <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> <20021009193436.GF84472@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--DWg365Y4B18r8evw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, Oct 09, 2002 at 01:13:51PM -0400, Mike Tancsa wrote:

> One thing to note about MD5 sums, is that if someone broke into an ftp site
> and uploaded a trojaned file, why not upload a new matching MD5 checksum
> file as well ?

MD5 sums distributed _with_ the binary are a guard against corruption
during download, they are not a security mechanism.  _Externally_
distributed MD5 checksums (not obtained from the same source) are a
security mechanism (not a perfect one, but very good in practise) -
the md5 sums in the FreeBSD ports collection fall into this class,
which is why FreeBSD was never affected by this problem even if people
downloaded the trojaned distfile (unless they overrode the security
warning and shot their own foot off).

Kris


--DWg365Y4B18r8evw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE9pIUhWry0BWjoQKURAg+lAJ916S14OYtDB+qibhWNC6xLfN1cuwCeK5hk
QtpVYri194YNDsVykPu1ggU=
=EVwX
-----END PGP SIGNATURE-----

--DWg365Y4B18r8evw--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021009193602.GG84472>