Re: Complex Theoretical One Way Hash Question

David Wagner <daw@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Jean-Luc Cooke wrote:
To do this, you create a HTML page with:
in the body and include a library JS file. That's two lines of HTML. Nice.

The image is loaded, and over top the image the SHA-256 hash of the image.

However, I don't see how this is useful, since the user has no way
to know whether to trust the SHA256 hash. The user doesn't get any
guarantees that the hash displayed is actually the SHA256 hash of the
image displayed. A malicious JavaScript page could be constructed to
show one image and another (mismatching) SHA256 hash, and the user would
have no way to detect this misbehavior.

It's a step closer however - the source code is there to review.

If it was served from a trustworthy site over SSL would that be better? How does
one trust the presented "golden pad lock" of SSL sites. I'm preaching to the chior
here, but the trust question is up in the air.



Relevant Pages

  • Re: Cryptografically signed ISO images
    ... Valeri Galtsev wrote: ... hash is in a chain of trust. ...
  • Re: Humble Contribution
    ... you should be able to trust a MAC based on a single hash ... A secure hash is overkill in some respects so we should be ...
  • Re: insecurity/threat of rpm, urpmi, apt-get installs?
    ... > file signed (to the extent that you trust the signer, ... > public key, and the hash strength). ... signature is when a key personal to a human entity is a second input ... "A SHA1 or MD5sum hash confirms you received an unaltered copy of the file ...
  • Re: Cryptografically signed ISO images
    ... hash is in a chain of trust. ... resembles the signature in one case or SHA-2 hash in the other) is on ...
  • Re: Hi
    ... Garrett doesn't use Windows, trust me. ... > Hash: SHA1 ... > | Mail transaction failed. ...