Discussion in 'Application Software' started by PalermoTech46, Nov 18, 2011.
You need to login to view this posts content.
Download only at the authors Page / from the authors MDL thread post download Link is as save as every (future) hashes.
100% same security as download from a post that say "Download this. With this SHA-1024 checksum. Have fun. ( ?)".
And use checksums (even if MD5) only to check for download errors.
Just my 2 cents.
Btw there is a Suggestions and Feedbacks section at MDL.
The host accounts where the authors upload releases could become compromised, files swapped, and also many other potential problems. Whereas if we have the signatures ahead of time on file, we can compare and deter these kind of malicious dupes for good. Cryptography is very reliable. Oh and thank you for the Feedback section. I'll post there
= The authors MDL accounts can be compromised and not only files/links swapped but even the posted checksums faked?
Since the checksum text is hosted on MDL, we have control over that. Whereas external hosting sides or the author's emails/systems can be compromised. We can make a universal thread "MDL projects hash signatures" to aggregate all checksums on a central place. Then lock the thread and make it read-only with time stamps and editable only by high mods or perhaps only by an admin.
While the author's/developer's are active (and who they say they are) we can record all the signatures and whitelist those known and verified hashes. And in the event the author's release thread is taken over and signatures modified and links poisoned, the authors can obviously notify us right away through a new account that their account or by email that they've been compromised so we can shutdown the bad links. But we need to take the snapshot of the applications and their signatures right away so we can have a reference for comparison in the case of an attack or just for security and good practice. Is all about being ready...
PalermoTech46, this is the second double post already.
Please respect our rules. I don't know what's your problem.
Are you OK?