Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI
From: Kris Kennaway (kris@freebsd.org)
Date: 10/09/02
- Next message: Kris Kennaway: "Re: I doubt that this affects FreeBSD, but FYI"
- Previous message: Zvezdan Petkovic: "Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI"
- Maybe in reply to: Mike Tancsa: "Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI"
- Next in thread: Mike Tancsa: "Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI"
- Reply: Mike Tancsa: "Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 9 Oct 2002 12:36:02 -0700 From: Kris Kennaway <kris@freebsd.org>
On Wed, Oct 09, 2002 at 01:13:51PM -0400, Mike Tancsa wrote:
> One thing to note about MD5 sums, is that if someone broke into an ftp site
> and uploaded a trojaned file, why not upload a new matching MD5 checksum
> file as well ?
MD5 sums distributed _with_ the binary are a guard against corruption
during download, they are not a security mechanism. _Externally_
distributed MD5 checksums (not obtained from the same source) are a
security mechanism (not a perfect one, but very good in practise) -
the md5 sums in the FreeBSD ports collection fall into this class,
which is why FreeBSD was never affected by this problem even if people
downloaded the trojaned distfile (unless they overrode the security
warning and shot their own foot off).
Kris
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- application/pgp-signature attachment: stored
- Next message: Kris Kennaway: "Re: I doubt that this affects FreeBSD, but FYI"
- Previous message: Zvezdan Petkovic: "Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI"
- Maybe in reply to: Mike Tancsa: "Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI"
- Next in thread: Mike Tancsa: "Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI"
- Reply: Mike Tancsa: "Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
