From owner-freebsd-arch Tue Mar 13 20:59:39 2001 Delivered-To: freebsd-arch@freebsd.org Received: from smtp03.primenet.com (smtp03.primenet.com [206.165.6.133]) by hub.freebsd.org (Postfix) with ESMTP id 86BA737B71A for ; Tue, 13 Mar 2001 20:59:36 -0800 (PST) (envelope-from tlambert@usr05.primenet.com) Received: (from daemon@localhost) by smtp03.primenet.com (8.9.3/8.9.3) id VAA28496; Tue, 13 Mar 2001 21:56:17 -0700 (MST) Received: from usr05.primenet.com(206.165.6.205) via SMTP by smtp03.primenet.com, id smtpdAAAqRa4H3; Tue Mar 13 21:56:06 2001 Received: (from tlambert@localhost) by usr05.primenet.com (8.8.5/8.8.5) id VAA03061; Tue, 13 Mar 2001 21:59:22 -0700 (MST) From: Terry Lambert Message-Id: <200103140459.VAA03061@usr05.primenet.com> Subject: Re: [PATCH] add a SITE MD5 command to ftpd To: roam@orbitel.bg (Peter Pentchev) Date: Wed, 14 Mar 2001 04:59:22 +0000 (GMT) Cc: freebsd-arch@FreeBSD.ORG In-Reply-To: <20010313211544.B17733@ringworld.oblivion.bg> from "Peter Pentchev" at Mar 13, 2001 09:15:44 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > A recent thread about Bill Fenner's distfiles-checking scripts > set me thinking about easy detection of MD5 checksum mismatches. > Bill Fenner pointed out that these checks are not done because > of the sheer volume of the network traffic needed to download > all the distfiles from all the distsites. > > I know that adding a ``SITE MD5 filename'' command to our ftpd > is a *very* little step in a possibly wrong direction (this will > not automagically make all the ftp daemons on all the distsites > implement this command), but IMHO, it's a start.. I'm thinking > of adding similar functionality to wu-ftpd and ProFTPd soon, and > submitting patches to the authors, in the hope of starting a ball > rolling :) The point of the MD5 is to provide a locally uncorruptable, verifiable crosscheck between the image on a remote side and the contents of a local ports Makefile. People also use MD5 for inage verification; this only works when you can establish an SA (Security Association) between the value of the checksum and the signature, so that a binary with the same signature is considered valid. The DNS, sendmail, and other people normally do this by signing email containing the signature announcement. It seems to me that if Iwere to rely on a "SITE MD5 filename" command as my crosscheck, that it doesn't really matter what the real MD5 would be, if computed locally, the remote site can lie, and tell me that it's anything it wants to tell me, in order to get me to accept the validity of the binary. In other words, we are back to sites being trusted for their content, rather than a distrust of content. Indeed, I can see "Bob's super fast FTP daemon" (or whatever) using a cached list of filename/MD5 pairs to be able to more quickly answer such requests, should these things become popular, for some reason (per above, that reason won't be security, obviously). I can see this happening also for FTP servers which want to be able to handle higher loads, with the MD5 overhead reducing overall load that you could expect a server to handle. Clearly, "Cached Data Considered Harmful" very quickly comes into play here. So before doing this, ask yourself: 1) Why do we have MD5's at all, in the first place? 2) Does this new extension threaten that reason for them existing in the first place? Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message