What is the point of providing shaXXX hashes for downloads of software over say TLS when any attacker that could change the download could have easily changed the hash? Isn't there enough information in the download to know that it is corrupt? Just seems brain dead to me.
Asked
Active
Viewed 106 times
1
-
1Prob dupe https://security.stackexchange.com/questions/1687/does-hashing-a-file-from-an-unsigned-website-give-a-false-sense-of-security and https://security.stackexchange.com/questions/111895/why-are-there-hashes-next-to-downloads – dave_thompson_085 Jun 09 '19 at 23:30
1 Answers
1
Correct, if the hash is provided on the website next to the download then it does nothing. If the hash is provided over a separate channel, especially if something reliably archives the hash that was published when the binary was published, then it provides some security. Not as much security as a digital signature, but some.
So hashes published in archives of mailing lists, hashes you received by email directly, hashes in package manager manifests, etc. are useful.
Z.T.
- 7,963
- 1
- 22
- 36