Google Summer of Code: Mozilla Projects
Google Summer of Code: Mozilla Projects
Posted Aug 23, 2007 14:46 UTC (Thu) by jengelh (guest, #33263)Parent article: Google Summer of Code: Mozilla Projects
>Edward Lee's "Link Fingerprints" (mentored by Gervase Markham)
Perhaps the checksum should be sent along as a HTTP Response Header, though of course sourced from a static file, so as to not make Apache recalculate it every time.
Posted Aug 23, 2007 15:12 UTC (Thu)
by xav (guest, #18536)
[Link] (1 responses)
Posted Sep 28, 2007 13:40 UTC (Fri)
by swiftone (guest, #17420)
[Link]
Correct. This would be of value when the source of the link is not the same as the source of the file.
LWN, for example, could post links to packages on ibiblio. On download, the files from one source (ibiblio) would be checked to match the hash from another (LWN).
At that point the system is as trusted as the source of the link, which can have errors, but may be more secure than the current system (where the hash is rarely verified).
Posted Aug 28, 2007 9:40 UTC (Tue)
by Wummel (guest, #7591)
[Link]
I doubt sending the md5 alongside the file will make it really secure inGoogle Summer of Code: Mozilla Projects
case of trojaned file. A non-stupid cracker would modify the md5 as well a
the file (or, this would be done automatically if computed on-the-fly by
apache).
The advantage of md5 embedded in the webpage is that modifying the ISO and
modifying the HTML accordingly is hard.
I doubt sending the md5 alongside the file will make it really secure in
case of trojaned file.
Google Summer of Code: Mozilla Projects
> Perhaps the checksum should be sent along as a HTTP Response Header,
Google Summer of Code: Mozilla Projects
There is the ETag HTTP header defined. Though it seems the Etag value only gets used for cache validation, and not for content verification.