Re: Complex Theoretical One Way Hash Question

David Wagner <daw@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Jean-Luc Cooke wrote:
To do this, you create a HTML page with:
in the body and include a library JS file. That's two lines of HTML. Nice.

The image is loaded, and over top the image the SHA-256 hash of the image.

However, I don't see how this is useful, since the user has no way
to know whether to trust the SHA256 hash. The user doesn't get any
guarantees that the hash displayed is actually the SHA256 hash of the
image displayed. A malicious JavaScript page could be constructed to
show one image and another (mismatching) SHA256 hash, and the user would
have no way to detect this misbehavior.

It's a step closer however - the source code is there to review.

If it was served from a trustworthy site over SSL would that be better? How does
one trust the presented "golden pad lock" of SSL sites. I'm preaching to the chior
here, but the trust question is up in the air.