Vulnerability Development mailing list archives
Re: Hashes,File protection,etc
From: Dan Kaminsky <dan () doxpara com>
Date: Mon, 14 Oct 2002 12:59:26 -0700
Dave Aitel wrote:
Cool stuff there! Maybe host the DB over DNS or something trivial. hash.filename.immunitysec.com :-)On Mon, 2002-10-14 at 14:40, Dan Kaminsky wrote:For remotely computed data / hashes, you can't -- thus the folly of trusting MD5 hashes on critical files downloaded off of untrusted servers. If somebody can modify the tarball, they can probably modify the hash too.Well, not always, if there is a semi-trusted third party or two - see http://www.immunitysec.com/hashdb.html for one implementation of thissort of thing.
Incidentally, Bitzi was/is trying to do something like your stuff for arbitrary data -- they didn't care what(P2P), they just hosted the translation between hash to content. Genuinely cool crypto, using Merkle's old Hash Tree concept.
The great thing about hash trees is that you don't need the entire file to find out you're being fed bad data.
I believe Bitzi opened their code, too: www.bitzi.com.
--Dan
Current thread:
- CROSS SITE-SCRIPTING Protection with PHP Astalavista Baby (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 14)
- Hashes,File protection,etc Dave Aitel (Oct 14)
- Re: Hashes,File protection,etc Dan Kaminsky (Oct 14)
- Re: Hashes,File protection,etc Dave Aitel (Oct 14)
- /instmsg/alias/annoying_web_logs ;) H D Moore (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
- RE: /instmsg/alias/annoying_web_logs ;) Elan Hasson (Oct 15)
- RE: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 16)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 16)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
- Re: /instmsg/alias/annoying_web_logs ;) Chip McClure (Oct 15)
- RE: /instmsg/alias/annoying_web_logs ;) Shawn K. Hall (RA/Security) (Oct 20)