While 'Mint' is securing things...
|
Author | Content |
---|---|
dotmatrix Feb 23, 2016 10:02 AM EDT |
They should also update the ISO checksums to SHA256... MD5 is very very broken.Gary Newell in article wrote:MD5 is the option you need to choose if you are using Linux Mint. For other distributions this option may be SHA256. |
hughesjr Feb 23, 2016 12:33 PM EDT |
Right, the should be using sha256. not md5 |
seatex Feb 23, 2016 8:54 PM EDT |
They just released a security update for Mint Update today. Hopefully they will adopt SHA256 as well. |
BernardSwiss Feb 23, 2016 9:26 PM EDT |
(As I understand the matter) for the purposes that Mint is using MD5 -- ie. verifying the integrity of a downloaded ISO -- MD5 is still consider sufficient (as the task of creating an altered large image with the same checksum is not yet feasible). And in this case, it doesn't matter anyhow; as any malicious party who is able to change the download link on the official distribution download page, to point to some bogus image on some Bulgarian server instead of the the official ISO, can just as easily change the checksum(s) on the same web-page as the link to match their trojan ISO -- whether the checksums are are MD5 or SHA256 or whatever. |
mbaehrlxer Feb 23, 2016 11:43 PM EDT |
right, those checksums are nothing but a verification that no bits fell over while the download happened. to get true verification, download files need to be signed with eg a pgp key, where the private key is stored off-site and can't be accessed by any intruders. greetings, eMBee. |
gary_newell Feb 25, 2016 8:57 AM EDT |
You need GPG to check the validity of the checksum and the SHA256 checksum to check the validity of the ISO. The process for checking the whole GPG thing needs to be better defined with better instructions. If you are a Windows user moving to Linux then the software available is very complex with very few instructions. People will just skip it and hope for the best. Maybe there should be a central website which stores all the checksums as well as the distributions own site. If the checksum website gets hacked you can verify with the distribution and vice versa. |
dotmatrix Feb 25, 2016 11:43 AM EDT |
>Maybe there should be a central website which stores all the checksums as well as the distributions own site. If the checksum website gets hacked you can verify with the distribution and vice versa. I second this idea... however, it would be better implemented in a way similar to DKIM and SPF for email... SPF has a DNS record pointing to the domain or IP of a 'trusted' sender. DKIM automatically signs the email envelope and checks the signature and body hash on the other side... Translate to distro ISO distribution means: Place a DNS TXT record for a designated domain or IP for the ISOs. Create an auto-sign ISO server program -- could use DKIM as a base -- Then either/or/and create a browser extension / DL_ISO program which checks the DNS records for the designated ISO domain and auto-verifies the ISO server signatures and ISO hash. |
dotmatrix Feb 25, 2016 4:29 PM EDT |
Here... I drew a diagram to visualize my idea - if anyone is interested....------------------------. | DNS TXT Record #1 | | | | The IP Address or FQDN |-------------------. | -of the ISO collection | | '------------------------' | v .--. .------------------------. _ -( )- _ | DNS TXT Record #2 | .--,( ),--. | | _.-( )-._ | The public key for |-->( INTERNET )----. | -the ISO collection | '-._( )_.-' | '------------------------' '__,( ),__' | - ._(__)_. - | ^ | .------------. | | | Signed ISO | | | | |--------------------------' | '------------' | ^ .---------------------. | | | Browser Extension | | | | DNS look-up |<--------' | | | .---------------------. '---------------------' | Server program | | | auto-signature | | | | v '---------------------' .--------------------. ^ | Browser Extension | | | IP Verify | | '--------------------' .-----------------. | | Private Key | | | | v '-----------------' .---------------------. | Browser Extension | | Signature verify | | | '---------------------' |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!