Date: Wed, 9 Oct 2002 12:36:02 -0700 From: Kris Kennaway <kris@freebsd.org> Cc: Mike Tancsa <mike@sentex.net>, Erick Mechler <emechler@techometer.net>, security@FreeBSD.ORG Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Message-ID: <20021009193602.GG84472@xor.obsecurity.org> In-Reply-To: <20021009193436.GF84472@xor.obsecurity.org> References: <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com> <4.3.2.7.2.20021008174734.029e9e00@localhost> <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com> <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> <20021009193436.GF84472@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Wed, Oct 09, 2002 at 01:13:51PM -0400, Mike Tancsa wrote: > One thing to note about MD5 sums, is that if someone broke into an ftp site > and uploaded a trojaned file, why not upload a new matching MD5 checksum > file as well ? MD5 sums distributed _with_ the binary are a guard against corruption during download, they are not a security mechanism. _Externally_ distributed MD5 checksums (not obtained from the same source) are a security mechanism (not a perfect one, but very good in practise) - the md5 sums in the FreeBSD ports collection fall into this class, which is why FreeBSD was never affected by this problem even if people downloaded the trojaned distfile (unless they overrode the security warning and shot their own foot off). Kris [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9pIUhWry0BWjoQKURAg+lAJ916S14OYtDB+qibhWNC6xLfN1cuwCeK5hk QtpVYri194YNDsVykPu1ggU= =EVwX -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021009193602.GG84472>