How do you know that a checksum text file has not been compromised?
Options
buglawton
Posts: 9,235 Forumite
in Techie Stuff
This must be a naive question but imagine the following scenario.
- Recently, Linux Mint was compromised and anyone downloading and installing it was probably hacked.
- So you're advised to always do a checksum validation of the downloaded file.
Taking example of Veracrypt. On one web page is the download and also a checksum validation text file. So you download both then go to a site like https://md5file.com/calculator and run it against the .exe you just downloaded. the checksum is match.
But what if... someone has hacked the Vercrypt download page and replaced the original .exe with a newly compiled hacked version. They then ran their new .exe against the same md5file.com check and copied the checksum generated. Then replaced the .txt file on Veracrypt's download page with a doctored one that perfectly matches the hacked .exe. Get both items from same web page, get a perfect match!
There must be a flaw in my argument or there'd be no point in verifying checksums. Should you obtain the .exe from website 1 and the checksum txt file from website 2 perhaps? If so how do you know of a reliable source website to trust?
- Recently, Linux Mint was compromised and anyone downloading and installing it was probably hacked.
- So you're advised to always do a checksum validation of the downloaded file.
Taking example of Veracrypt. On one web page is the download and also a checksum validation text file. So you download both then go to a site like https://md5file.com/calculator and run it against the .exe you just downloaded. the checksum is match.
But what if... someone has hacked the Vercrypt download page and replaced the original .exe with a newly compiled hacked version. They then ran their new .exe against the same md5file.com check and copied the checksum generated. Then replaced the .txt file on Veracrypt's download page with a doctored one that perfectly matches the hacked .exe. Get both items from same web page, get a perfect match!
There must be a flaw in my argument or there'd be no point in verifying checksums. Should you obtain the .exe from website 1 and the checksum txt file from website 2 perhaps? If so how do you know of a reliable source website to trust?
0
Comments
-
YOur scenario is totally valid.
The mitigation is that the checksum of popular ISOs is widely published and so every copy can't (easily) be replaced.0 -
Quite often there are mirror sites too, which would all need to be compromised also. No need to use external sites to check hashes either, - with powershell you can check without uploading https://technet.microsoft.com/en-us/library/dn520872.aspx Get-FileHash🍺 😎 Still grumpy, and No, Cloudflare I am NOT a robot 🤖BUT my responses are now out of my control they are posted via ChatGPT or the latest AI0
-
As well as MD5 (etc.) hashes, files can also be signed using PGP.
The idea here is that once you have trusted the key, you never need to download it again. You can check all subsequently signed files with the key in your PGP database.
If hackers replaced the key and file when you initially downloaded them, then they could be compromised. Over time, as no security breaches are reported, it would become much harder for a hacker to provide an unauthorised file without being noticed.
https://www.gnupg.org/gph/en/manual/x135.html
https://www.deepdotweb.com/jolly-rogers-security-guide-for-beginners/how-to-verify-your-downloaded-files-are-authentic/
It seems like a simple enough process, but I always find PGP software a little confusing. There must be a way to simplify the software so that everyday computer users would find it quick and foolproof. :-/0 -
Taking the example of Veracrypt again, I Googled for the name of the .txt file that holds the verification hash value. Came back with precisely one hit on a site outside of Veracrypts own. So only one extra site (which itself could be a dummy/decoy) needs to have a fake verification file on it to fool you.0
-
Taking the example of Veracrypt again, I Googled for the name of the .txt file that holds the verification hash value. Came back with precisely one hit on a site outside of Veracrypts own. So only one extra site (which itself could be a dummy/decoy) needs to have a fake verification file on it to fool you.
VeraCrypt is PGP signed, and has a live warrant canary on its site.
https://www.idrix.fr/Root/content/category/7/32/60/
Of course, (as far as I know) there's nothing to say that VeraCrypt isn't a program designed by a rogue government to give only an illusion of security. Remember how long it took to complete the security audit of TrueCrypt? And how ambiguous the findings were...?
If you need to be sure that what you're running is trustworthy, I guess you'd need to know exactly who is responsible for the project and make certain you can trust them (how?), and to avoid man-in-the-middle attacks you'd need to meet in person to exchange software, keys, etc.
And that assumes that the project's private key owners never make their key public (which would mean anyone could create an authentic PGP signature for the file). Was it Dell who got into trouble after hard-coding their private PGP key into some software recently...?0
This discussion has been closed.
Categories
- All Categories
- 343.2K Banking & Borrowing
- 250.1K Reduce Debt & Boost Income
- 449.7K Spending & Discounts
- 235.3K Work, Benefits & Business
- 608K Mortgages, Homes & Bills
- 173.1K Life & Family
- 247.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards