1

Some sites allow us to use hashes to make sure that the file we download is what it should be and that it is not tampered with.

Some sites may have their hashes on a different domain probably on a different server other than the one the download link is on, like the site for Ubuntu (This may prevent someone from hacking the site and then modifying both the download link and the hash to fool people.), but some sites like Kali Linux have the hashes on the same page as the downloads link.

Isn't this bad? What prevents someone form modifying the hash if they can already modify the download link?

forest
  • 65,613
  • 20
  • 208
  • 262
Henry WH Hack v3.0
  • 2,137
  • 2
  • 24
  • 37

1 Answers1

0

When you hash a file, you do this to validate the integrity of the file. You need to have other security measurements to protect and validate the integrity of the web page, that is not what hashing a file is meant to do.

Although is it safer to have the hash published separately for the exact same reason you stated, which is to protect the hash and the download link from being changed, you should also know that being able to change a web page is a really big security flaw and this is should never be acceptable. There should be logging in place to notice immediately when a web page was changed without you doing it.

If you can replace something on a web page, you can probably replace everything (download link and hash, for example).

Kevin
  • 1,653
  • 10
  • 20