Date: Wed, 09 Oct 2002 15:54:27 -0400 From: Mike Tancsa <mike@sentex.net> To: Kris Kennaway <kris@FreeBSD.ORG> Cc: security@FreeBSD.ORG Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Message-ID: <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca> In-Reply-To: <20021009193602.GG84472@xor.obsecurity.org> References: <20021009193436.GF84472@xor.obsecurity.org> <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com> <4.3.2.7.2.20021008174734.029e9e00@localhost> <A87611A0-DB29-11D6-8AF4-003065479A66@infospace.com> <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> <20021009193436.GF84472@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:36 PM 09/10/2002 -0700, Kris Kennaway wrote:
>On Wed, Oct 09, 2002 at 01:13:51PM -0400, Mike Tancsa wrote:
>
> > One thing to note about MD5 sums, is that if someone broke into an ftp site
> > and uploaded a trojaned file, why not upload a new matching MD5 checksum
> > file as well ?
>
>MD5 sums distributed _with_ the binary are a guard against corruption
Hi,
Sorry, I should have been more clear. I was speaking more to the
general issue of a user downloading both the binary and checksum from the
same source as is / was the case with ftp.sendmail.org.
I really like how the ports work because they do add a bit of extra
security. Like you said, its not perfect, but it does help. Actually, I
am somewhat surprised there is not some more widely used mechanism. e.g.
for integrity checksums, why not have it on a totally separate server run
on a totally separate network by totally separate admins. data one place,
checksum another. This way to tamper with the package, you would need to
compromise two different systems. A sort of checksum clearing house ?
---Mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.0.20021009154208.05e43d98>