Important Suggestion: for MDL Projects and Applications [Crypto] *** See Admin + Mods

Discussion in 'Application Software' started by PalermoTech46, Nov 18, 2011.

Thread Status:
Not open for further replies.
  1. PalermoTech46

    PalermoTech46 MDL Junior Member

    Nov 18, 2011
    61
    2
    0
    #1 PalermoTech46, Nov 18, 2011
    Last edited: Nov 18, 2011
  2. karrde

    karrde MDL Novice

    May 19, 2007
    22
    3
    0
    Download only at the authors Page / from the authors MDL thread post download Link is as save as every (future) hashes.

    100% same security as download from a post that say "Download this. With this SHA-1024 checksum. Have fun. ( :iamaliar: ?)".

    And use checksums (even if MD5) only to check for download errors.

    Just my 2 cents.


    Btw there is a Suggestions and Feedbacks section at MDL.
     
  3. PalermoTech46

    PalermoTech46 MDL Junior Member

    Nov 18, 2011
    61
    2
    0
    The host accounts where the authors upload releases could become compromised, files swapped, and also many other potential problems. Whereas if we have the signatures ahead of time on file, we can compare and deter these kind of malicious dupes for good. Cryptography is very reliable. Oh and thank you for the Feedback section. I'll post there :)
     
  4. karrde

    karrde MDL Novice

    May 19, 2007
    22
    3
    0
    = The authors MDL accounts can be compromised and not only files/links swapped but even the posted checksums faked?
     
  5. PalermoTech46

    PalermoTech46 MDL Junior Member

    Nov 18, 2011
    61
    2
    0
    Since the checksum text is hosted on MDL, we have control over that. Whereas external hosting sides or the author's emails/systems can be compromised. We can make a universal thread "MDL projects hash signatures" to aggregate all checksums on a central place. Then lock the thread and make it read-only with time stamps and editable only by high mods or perhaps only by an admin.
     
  6. PalermoTech46

    PalermoTech46 MDL Junior Member

    Nov 18, 2011
    61
    2
    0
    While the author's/developer's are active (and who they say they are) we can record all the signatures and whitelist those known and verified hashes. And in the event the author's release thread is taken over and signatures modified and links poisoned, the authors can obviously notify us right away through a new account that their account or by email that they've been compromised so we can shutdown the bad links. But we need to take the snapshot of the applications and their signatures right away so we can have a reference for comparison in the case of an attack or just for security and good practice. Is all about being ready...
     
  7. PalermoTech46

    PalermoTech46 MDL Junior Member

    Nov 18, 2011
    61
    2
    0
  8. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,171
    10,931
    340
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...