Why verify a file / firmware downloaded online against a checksum?
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
When ever there is a file / firmware to download online and they provide a checksum to check the file against, i always confirm the check sum of the downloaded file matches the checksum posted online.
But it has often crossed my mind, if a malicious 3rd party has FTP access and are able to swap out the file / firmware with a malicious build, they would surely have the technical know how and access to go into the html / php etc webpage file and update the check sum to match their now malicious build, thus rendering the check sum worthless.
Have i missed the point here ?
checksum
add a comment |Â
up vote
2
down vote
favorite
When ever there is a file / firmware to download online and they provide a checksum to check the file against, i always confirm the check sum of the downloaded file matches the checksum posted online.
But it has often crossed my mind, if a malicious 3rd party has FTP access and are able to swap out the file / firmware with a malicious build, they would surely have the technical know how and access to go into the html / php etc webpage file and update the check sum to match their now malicious build, thus rendering the check sum worthless.
Have i missed the point here ?
checksum
Possible duplicate of Downloaded file checksums, Why is it necessary to match the checksum of a download with another file provided by the same server?, Does hashing a file from an unsigned website give a false sense of security?, Is there any purpose for providing checksums on a non-HTTPS location?.
â Steffen Ullrich
22 mins ago
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
When ever there is a file / firmware to download online and they provide a checksum to check the file against, i always confirm the check sum of the downloaded file matches the checksum posted online.
But it has often crossed my mind, if a malicious 3rd party has FTP access and are able to swap out the file / firmware with a malicious build, they would surely have the technical know how and access to go into the html / php etc webpage file and update the check sum to match their now malicious build, thus rendering the check sum worthless.
Have i missed the point here ?
checksum
When ever there is a file / firmware to download online and they provide a checksum to check the file against, i always confirm the check sum of the downloaded file matches the checksum posted online.
But it has often crossed my mind, if a malicious 3rd party has FTP access and are able to swap out the file / firmware with a malicious build, they would surely have the technical know how and access to go into the html / php etc webpage file and update the check sum to match their now malicious build, thus rendering the check sum worthless.
Have i missed the point here ?
checksum
checksum
asked 3 hours ago
sam
269212
269212
Possible duplicate of Downloaded file checksums, Why is it necessary to match the checksum of a download with another file provided by the same server?, Does hashing a file from an unsigned website give a false sense of security?, Is there any purpose for providing checksums on a non-HTTPS location?.
â Steffen Ullrich
22 mins ago
add a comment |Â
Possible duplicate of Downloaded file checksums, Why is it necessary to match the checksum of a download with another file provided by the same server?, Does hashing a file from an unsigned website give a false sense of security?, Is there any purpose for providing checksums on a non-HTTPS location?.
â Steffen Ullrich
22 mins ago
Possible duplicate of Downloaded file checksums, Why is it necessary to match the checksum of a download with another file provided by the same server?, Does hashing a file from an unsigned website give a false sense of security?, Is there any purpose for providing checksums on a non-HTTPS location?.
â Steffen Ullrich
22 mins ago
Possible duplicate of Downloaded file checksums, Why is it necessary to match the checksum of a download with another file provided by the same server?, Does hashing a file from an unsigned website give a false sense of security?, Is there any purpose for providing checksums on a non-HTTPS location?.
â Steffen Ullrich
22 mins ago
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
4
down vote
accepted
All that you've missed is where a hash is supposed to protect you. You are correct that if an attacker has access to the server itself, they can just modify everything.
Where a hash is supposed to help you is against a man-in-the-middle attack. For example:
- Download file
- Read webpage for plaintext md5 or sha1
- Hash downloaded file
- Compare values
If someone were sitting in the middle, they could theoretically sit in the middle and change both also but there are other technical solutions to try to combat this (SSL/TLS (still vulnerable to MITM) and digital signatures).
EDIT: On some of the customer remediations I've been on, how we've used download hashes to try and mitigate a MITM is to download the bits, and then verify that the hash on the website is seen as the same over multiple connections/computers. This significantly decreases the liklihood that an attacker will own all of the investigators' means of connections. If the hashes from the source site are the same across the different connections/computers, it should be assumed to be relatively safe.
Some projects will use third parties to host large files in order to improve download speeds as well as offset the cost of maintaining the servers. In this case with multiple third parties it's possible one may be compromised. If that's the case co paring the hash from the official website would indicate the compromise. One big example if this is what Source forge did with multiple companies hosting files. These days many companies store their large files in the cloud using AWS which may be separate from their web host.
â Daisetsu
53 mins ago
add a comment |Â
up vote
1
down vote
Checksums are provided to detect corruption during file transfer, not to detect man in the middle attacks.
1
He did say checksum... but most often you are provided a hash, not a checksum in my experience.
â thepip3r
3 hours ago
@Teun Vink What can be done (if anything) to prevent me downloading a malicious build in the first place ? For instance there was an issue recently with a malicious build of the popular video compression software Handbrake being distributed from their site
â sam
3 hours ago
ThereâÂÂs not much you can do to prevent that, mostly you can implement controls like virus scanners and malware detection to prevent you from running the installer.
â Teun Vink
2 hours ago
@thepip3r Intended usage is the only practical difference between a hash and a checksum here. Yes, SHA-1 (or even SHA-256) values for files are typically given, but they're meant to be used as checksums, not as hashes.
â Austin Hemmelgarn
2 hours ago
@AustinHemmelgarn, their intended use is making sure that all of the bytes arrive unmolested to the end-point. There should be a distinction between the two for a number of reasons. A checksum is not a hash--cryptographically speaking, they're not even in the same realm of discussion. Hashes happen to be able to provide a level of fidelity that the bits are what the source says they should be. In case the case of a MITM, I've mitigated this in the past by verifying the site checksum over distinct connections (commercial, and 2 cell phones) to ensure no MITM.
â thepip3r
2 hours ago
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
accepted
All that you've missed is where a hash is supposed to protect you. You are correct that if an attacker has access to the server itself, they can just modify everything.
Where a hash is supposed to help you is against a man-in-the-middle attack. For example:
- Download file
- Read webpage for plaintext md5 or sha1
- Hash downloaded file
- Compare values
If someone were sitting in the middle, they could theoretically sit in the middle and change both also but there are other technical solutions to try to combat this (SSL/TLS (still vulnerable to MITM) and digital signatures).
EDIT: On some of the customer remediations I've been on, how we've used download hashes to try and mitigate a MITM is to download the bits, and then verify that the hash on the website is seen as the same over multiple connections/computers. This significantly decreases the liklihood that an attacker will own all of the investigators' means of connections. If the hashes from the source site are the same across the different connections/computers, it should be assumed to be relatively safe.
Some projects will use third parties to host large files in order to improve download speeds as well as offset the cost of maintaining the servers. In this case with multiple third parties it's possible one may be compromised. If that's the case co paring the hash from the official website would indicate the compromise. One big example if this is what Source forge did with multiple companies hosting files. These days many companies store their large files in the cloud using AWS which may be separate from their web host.
â Daisetsu
53 mins ago
add a comment |Â
up vote
4
down vote
accepted
All that you've missed is where a hash is supposed to protect you. You are correct that if an attacker has access to the server itself, they can just modify everything.
Where a hash is supposed to help you is against a man-in-the-middle attack. For example:
- Download file
- Read webpage for plaintext md5 or sha1
- Hash downloaded file
- Compare values
If someone were sitting in the middle, they could theoretically sit in the middle and change both also but there are other technical solutions to try to combat this (SSL/TLS (still vulnerable to MITM) and digital signatures).
EDIT: On some of the customer remediations I've been on, how we've used download hashes to try and mitigate a MITM is to download the bits, and then verify that the hash on the website is seen as the same over multiple connections/computers. This significantly decreases the liklihood that an attacker will own all of the investigators' means of connections. If the hashes from the source site are the same across the different connections/computers, it should be assumed to be relatively safe.
Some projects will use third parties to host large files in order to improve download speeds as well as offset the cost of maintaining the servers. In this case with multiple third parties it's possible one may be compromised. If that's the case co paring the hash from the official website would indicate the compromise. One big example if this is what Source forge did with multiple companies hosting files. These days many companies store their large files in the cloud using AWS which may be separate from their web host.
â Daisetsu
53 mins ago
add a comment |Â
up vote
4
down vote
accepted
up vote
4
down vote
accepted
All that you've missed is where a hash is supposed to protect you. You are correct that if an attacker has access to the server itself, they can just modify everything.
Where a hash is supposed to help you is against a man-in-the-middle attack. For example:
- Download file
- Read webpage for plaintext md5 or sha1
- Hash downloaded file
- Compare values
If someone were sitting in the middle, they could theoretically sit in the middle and change both also but there are other technical solutions to try to combat this (SSL/TLS (still vulnerable to MITM) and digital signatures).
EDIT: On some of the customer remediations I've been on, how we've used download hashes to try and mitigate a MITM is to download the bits, and then verify that the hash on the website is seen as the same over multiple connections/computers. This significantly decreases the liklihood that an attacker will own all of the investigators' means of connections. If the hashes from the source site are the same across the different connections/computers, it should be assumed to be relatively safe.
All that you've missed is where a hash is supposed to protect you. You are correct that if an attacker has access to the server itself, they can just modify everything.
Where a hash is supposed to help you is against a man-in-the-middle attack. For example:
- Download file
- Read webpage for plaintext md5 or sha1
- Hash downloaded file
- Compare values
If someone were sitting in the middle, they could theoretically sit in the middle and change both also but there are other technical solutions to try to combat this (SSL/TLS (still vulnerable to MITM) and digital signatures).
EDIT: On some of the customer remediations I've been on, how we've used download hashes to try and mitigate a MITM is to download the bits, and then verify that the hash on the website is seen as the same over multiple connections/computers. This significantly decreases the liklihood that an attacker will own all of the investigators' means of connections. If the hashes from the source site are the same across the different connections/computers, it should be assumed to be relatively safe.
edited 2 hours ago
answered 3 hours ago
thepip3r
28418
28418
Some projects will use third parties to host large files in order to improve download speeds as well as offset the cost of maintaining the servers. In this case with multiple third parties it's possible one may be compromised. If that's the case co paring the hash from the official website would indicate the compromise. One big example if this is what Source forge did with multiple companies hosting files. These days many companies store their large files in the cloud using AWS which may be separate from their web host.
â Daisetsu
53 mins ago
add a comment |Â
Some projects will use third parties to host large files in order to improve download speeds as well as offset the cost of maintaining the servers. In this case with multiple third parties it's possible one may be compromised. If that's the case co paring the hash from the official website would indicate the compromise. One big example if this is what Source forge did with multiple companies hosting files. These days many companies store their large files in the cloud using AWS which may be separate from their web host.
â Daisetsu
53 mins ago
Some projects will use third parties to host large files in order to improve download speeds as well as offset the cost of maintaining the servers. In this case with multiple third parties it's possible one may be compromised. If that's the case co paring the hash from the official website would indicate the compromise. One big example if this is what Source forge did with multiple companies hosting files. These days many companies store their large files in the cloud using AWS which may be separate from their web host.
â Daisetsu
53 mins ago
Some projects will use third parties to host large files in order to improve download speeds as well as offset the cost of maintaining the servers. In this case with multiple third parties it's possible one may be compromised. If that's the case co paring the hash from the official website would indicate the compromise. One big example if this is what Source forge did with multiple companies hosting files. These days many companies store their large files in the cloud using AWS which may be separate from their web host.
â Daisetsu
53 mins ago
add a comment |Â
up vote
1
down vote
Checksums are provided to detect corruption during file transfer, not to detect man in the middle attacks.
1
He did say checksum... but most often you are provided a hash, not a checksum in my experience.
â thepip3r
3 hours ago
@Teun Vink What can be done (if anything) to prevent me downloading a malicious build in the first place ? For instance there was an issue recently with a malicious build of the popular video compression software Handbrake being distributed from their site
â sam
3 hours ago
ThereâÂÂs not much you can do to prevent that, mostly you can implement controls like virus scanners and malware detection to prevent you from running the installer.
â Teun Vink
2 hours ago
@thepip3r Intended usage is the only practical difference between a hash and a checksum here. Yes, SHA-1 (or even SHA-256) values for files are typically given, but they're meant to be used as checksums, not as hashes.
â Austin Hemmelgarn
2 hours ago
@AustinHemmelgarn, their intended use is making sure that all of the bytes arrive unmolested to the end-point. There should be a distinction between the two for a number of reasons. A checksum is not a hash--cryptographically speaking, they're not even in the same realm of discussion. Hashes happen to be able to provide a level of fidelity that the bits are what the source says they should be. In case the case of a MITM, I've mitigated this in the past by verifying the site checksum over distinct connections (commercial, and 2 cell phones) to ensure no MITM.
â thepip3r
2 hours ago
add a comment |Â
up vote
1
down vote
Checksums are provided to detect corruption during file transfer, not to detect man in the middle attacks.
1
He did say checksum... but most often you are provided a hash, not a checksum in my experience.
â thepip3r
3 hours ago
@Teun Vink What can be done (if anything) to prevent me downloading a malicious build in the first place ? For instance there was an issue recently with a malicious build of the popular video compression software Handbrake being distributed from their site
â sam
3 hours ago
ThereâÂÂs not much you can do to prevent that, mostly you can implement controls like virus scanners and malware detection to prevent you from running the installer.
â Teun Vink
2 hours ago
@thepip3r Intended usage is the only practical difference between a hash and a checksum here. Yes, SHA-1 (or even SHA-256) values for files are typically given, but they're meant to be used as checksums, not as hashes.
â Austin Hemmelgarn
2 hours ago
@AustinHemmelgarn, their intended use is making sure that all of the bytes arrive unmolested to the end-point. There should be a distinction between the two for a number of reasons. A checksum is not a hash--cryptographically speaking, they're not even in the same realm of discussion. Hashes happen to be able to provide a level of fidelity that the bits are what the source says they should be. In case the case of a MITM, I've mitigated this in the past by verifying the site checksum over distinct connections (commercial, and 2 cell phones) to ensure no MITM.
â thepip3r
2 hours ago
add a comment |Â
up vote
1
down vote
up vote
1
down vote
Checksums are provided to detect corruption during file transfer, not to detect man in the middle attacks.
Checksums are provided to detect corruption during file transfer, not to detect man in the middle attacks.
answered 3 hours ago
Teun Vink
5,15922029
5,15922029
1
He did say checksum... but most often you are provided a hash, not a checksum in my experience.
â thepip3r
3 hours ago
@Teun Vink What can be done (if anything) to prevent me downloading a malicious build in the first place ? For instance there was an issue recently with a malicious build of the popular video compression software Handbrake being distributed from their site
â sam
3 hours ago
ThereâÂÂs not much you can do to prevent that, mostly you can implement controls like virus scanners and malware detection to prevent you from running the installer.
â Teun Vink
2 hours ago
@thepip3r Intended usage is the only practical difference between a hash and a checksum here. Yes, SHA-1 (or even SHA-256) values for files are typically given, but they're meant to be used as checksums, not as hashes.
â Austin Hemmelgarn
2 hours ago
@AustinHemmelgarn, their intended use is making sure that all of the bytes arrive unmolested to the end-point. There should be a distinction between the two for a number of reasons. A checksum is not a hash--cryptographically speaking, they're not even in the same realm of discussion. Hashes happen to be able to provide a level of fidelity that the bits are what the source says they should be. In case the case of a MITM, I've mitigated this in the past by verifying the site checksum over distinct connections (commercial, and 2 cell phones) to ensure no MITM.
â thepip3r
2 hours ago
add a comment |Â
1
He did say checksum... but most often you are provided a hash, not a checksum in my experience.
â thepip3r
3 hours ago
@Teun Vink What can be done (if anything) to prevent me downloading a malicious build in the first place ? For instance there was an issue recently with a malicious build of the popular video compression software Handbrake being distributed from their site
â sam
3 hours ago
ThereâÂÂs not much you can do to prevent that, mostly you can implement controls like virus scanners and malware detection to prevent you from running the installer.
â Teun Vink
2 hours ago
@thepip3r Intended usage is the only practical difference between a hash and a checksum here. Yes, SHA-1 (or even SHA-256) values for files are typically given, but they're meant to be used as checksums, not as hashes.
â Austin Hemmelgarn
2 hours ago
@AustinHemmelgarn, their intended use is making sure that all of the bytes arrive unmolested to the end-point. There should be a distinction between the two for a number of reasons. A checksum is not a hash--cryptographically speaking, they're not even in the same realm of discussion. Hashes happen to be able to provide a level of fidelity that the bits are what the source says they should be. In case the case of a MITM, I've mitigated this in the past by verifying the site checksum over distinct connections (commercial, and 2 cell phones) to ensure no MITM.
â thepip3r
2 hours ago
1
1
He did say checksum... but most often you are provided a hash, not a checksum in my experience.
â thepip3r
3 hours ago
He did say checksum... but most often you are provided a hash, not a checksum in my experience.
â thepip3r
3 hours ago
@Teun Vink What can be done (if anything) to prevent me downloading a malicious build in the first place ? For instance there was an issue recently with a malicious build of the popular video compression software Handbrake being distributed from their site
â sam
3 hours ago
@Teun Vink What can be done (if anything) to prevent me downloading a malicious build in the first place ? For instance there was an issue recently with a malicious build of the popular video compression software Handbrake being distributed from their site
â sam
3 hours ago
ThereâÂÂs not much you can do to prevent that, mostly you can implement controls like virus scanners and malware detection to prevent you from running the installer.
â Teun Vink
2 hours ago
ThereâÂÂs not much you can do to prevent that, mostly you can implement controls like virus scanners and malware detection to prevent you from running the installer.
â Teun Vink
2 hours ago
@thepip3r Intended usage is the only practical difference between a hash and a checksum here. Yes, SHA-1 (or even SHA-256) values for files are typically given, but they're meant to be used as checksums, not as hashes.
â Austin Hemmelgarn
2 hours ago
@thepip3r Intended usage is the only practical difference between a hash and a checksum here. Yes, SHA-1 (or even SHA-256) values for files are typically given, but they're meant to be used as checksums, not as hashes.
â Austin Hemmelgarn
2 hours ago
@AustinHemmelgarn, their intended use is making sure that all of the bytes arrive unmolested to the end-point. There should be a distinction between the two for a number of reasons. A checksum is not a hash--cryptographically speaking, they're not even in the same realm of discussion. Hashes happen to be able to provide a level of fidelity that the bits are what the source says they should be. In case the case of a MITM, I've mitigated this in the past by verifying the site checksum over distinct connections (commercial, and 2 cell phones) to ensure no MITM.
â thepip3r
2 hours ago
@AustinHemmelgarn, their intended use is making sure that all of the bytes arrive unmolested to the end-point. There should be a distinction between the two for a number of reasons. A checksum is not a hash--cryptographically speaking, they're not even in the same realm of discussion. Hashes happen to be able to provide a level of fidelity that the bits are what the source says they should be. In case the case of a MITM, I've mitigated this in the past by verifying the site checksum over distinct connections (commercial, and 2 cell phones) to ensure no MITM.
â thepip3r
2 hours ago
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196648%2fwhy-verify-a-file-firmware-downloaded-online-against-a-checksum%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Possible duplicate of Downloaded file checksums, Why is it necessary to match the checksum of a download with another file provided by the same server?, Does hashing a file from an unsigned website give a false sense of security?, Is there any purpose for providing checksums on a non-HTTPS location?.
â Steffen Ullrich
22 mins ago