Vulnerability Development mailing list archives
Re: Hashes,File protection,etc
From: Dave Aitel <dave () immunitysec com>
Date: 14 Oct 2002 15:34:55 -0400
On Mon, 2002-10-14 at 15:59, Dan Kaminsky wrote:
Dave Aitel wrote:On Mon, 2002-10-14 at 14:40, Dan Kaminsky wrote:For remotely computed data / hashes, you can't -- thus the folly of trusting MD5 hashes on critical files downloaded off of untrusted servers. If somebody can modify the tarball, they can probably modify the hash too.Well, not always, if there is a semi-trusted third party or two - see http://www.immunitysec.com/hashdb.html for one implementation of this sort of thing.Cool stuff there! Maybe host the DB over DNS or something trivial. hash.filename.immunitysec.com :-) Incidentally, Bitzi was/is trying to do something like your stuff for arbitrary data -- they didn't care what(P2P), they just hosted the translation between hash to content. Genuinely cool crypto, using Merkle's old Hash Tree concept. The great thing about hash trees is that you don't need the entire file to find out you're being fed bad data. I believe Bitzi opened their code, too: www.bitzi.com. --Dan
Cool. I'd go look at that, but 10000 people are currently grabbing SPIKE Proxy or SPIKE looking for that IIS DoS, which means my network connection is swamped. I squeeze my e-mail through, though. :> Any solution to this problem would be good - be it mine, or something else. I'm really tired of hearing about opensource.tar.gz getting trojaned. If Ximian, Freshmeat.net, Akamai or something would host a HashDB server, we could be done with that stuff once and for all. As it is, you're only protected for files that I have bothered to go out and grab, or validated off of announcements. -- Dave Aitel <dave () immunitysec com> Immunity, Inc
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: CROSS SITE-SCRIPTING Protection with PHP, (continued)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 14)
- Hashes,File protection,etc Dave Aitel (Oct 14)
- Re: Hashes,File protection,etc Dan Kaminsky (Oct 14)
- Re: Hashes,File protection,etc Dave Aitel (Oct 14)
- /instmsg/alias/annoying_web_logs ;) H D Moore (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
- RE: /instmsg/alias/annoying_web_logs ;) Elan Hasson (Oct 15)
- RE: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 16)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 16)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
- Re: /instmsg/alias/annoying_web_logs ;) Chip McClure (Oct 15)
- RE: /instmsg/alias/annoying_web_logs ;) Shawn K. Hall (RA/Security) (Oct 20)
- Re: Hashes,File protection,etc Tony (Oct 15)