Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Most people download software from websites using GUI browsers, while performing a checksum generally requires opening a terminal, changing directories to where the file was downloaded, and running the checksum program there. Maybe the web browser should provide a UI for doing checksums directly in the download manager. For example, each download entry could have a blank "checksum" text box where you can paste in the checksum given on the page.


This doesn't solve the problem. At all.

A checksum is NOT a substitute for a digital signature.

https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-pass...


It is given the following attack scenario: attacker is man-in-the-middling, and the SHA (but not the actual binary) is delivered via https.

In the case where the attacked has direct control over the website then you're right, it doesn't help at all.


> In the case where the attacked has direct control over the website then you're right, it doesn't help at all.

I was pretty sure that's the threat model we were discussing: Software authenticity.

The only way to automatically know if a piece of software is legitimate is to have a trusted public key that can verify a signature.

Also, HTTPS is implied these days. If you're not using HTTPS, you are either malicious, negligent, incompetent, or working for someone who is some or all of the above.


> If you're not using HTTPS, you are either malicious, negligent, incompetent…

Or poor. Hosting large amounts of binaries over https isn't cheap. I just priced Amazon S3 and cloudfront and for the amount of data that I serve it would cost $300 per month. That's a lot to commit for a GPL-ed binary that brings in practically zero revenue. Maybe there's a cut rate VPS out there that can handle 150GB of data and 3TB of bandwidth per month on the cheap, but I haven't found it yet.


How much is it for the same volume of non-HTTPS traffic?


Right. All I have to do is distribute the correct hash for my binary as a malicious software distributor because there's no authenticity verification at all, only that the bits in my binary blob match a certain pattern.


Is that supposed to be sarcasm? Hard to tell.


I suspect not.


That would be a useful extension/plugin for browsers actually.

Maybe like pointed out in another reply, not for checksums but for signatures. So you just copy/paste the signature after selecting a file, and then it can verify it's validity.

Is there no such extension yet? it seems like there should be one already.


Tried to search, found https://tails.boum.org/blueprint/bootstrapping/extension/, and links to https://chrome.google.com/webstore/detail/satori/oncomejlklh..., with code at https://github.com/glamrock/satori


Maybe something like: - have a database of common downloads and all their crypto info, which developers can update once they are validated - have browser extensions that will check packages on download and alert if suspicious

You could pay for it with some sort of sponsorship from apps themselves, who have an interest in not getting compromised like this (it's terrible publicity).


yeah, maybe they should call it something like.... https??




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: