Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
TinyWall Version 3 released!
Message
<blockquote data-quote="ultim" data-source="post: 878146" data-attributes="member: 843"><p>No, I understood you perfectly, but it seems I didn't get my point about the link over to you. It doesn't matter that the link is http://, it will still give you an encrypted connection. Now, I'm still going to change the link to https just so that people like you don't get confused over it, but I'll leave it like this for a day or two to let you try it out and see for yourself. http:// or httpS:// doesn't matter on TinyWall's website, everything is over an encrypted connection.</p><p></p><p>MD5 and SHA1 are broken only as cryptographic hashes, but hashes in general have other applications too. You seem to be missing the fact that not all applications of hashes need to have cryptographically secure properties. Verifying download/file integrity is a perfectly valid and safe use even for "broken" hashes like MD5. As a counterexample, yes it would be very bad if MD5 was used as the hash algorithm for passwords or in TinyWall's digital signature, but those are different applications with different demands than the one on the website.</p><p></p><p>You are correct that hosting the hashes on a different server than the downloads (like, here) would improve their security. The problem with that is nobody would know about them and hence nobody would be able to check them, except for the few people coming to this thread. And no I cannot just link it from the download page, because again, if somebody can replace the download, then the link leading to the correct hashes will be also modified by the same attacker. <s>Or I guess I could setup a separate secure fileserver for hosting only the downloads away from the website. Of course you are volunteering for maintenance and bearing the costs.</s> EDIT: Actually that wouldn't help one bit either because then the attacker would just modify the hashes and the link to the downloads.</p><p></p><p>Please stop obsessing over the MD5/SHA1 on the download page, there is no good reason they need to be SHA-any-big-number. That would be actually worse, because it would give people a false impression of security. If you are really serious about the issue, you should get used to relying on download signatures instead of posted hashes. This is what digital signatures were made for, and there is a reason they exist.</p></blockquote><p></p>
[QUOTE="ultim, post: 878146, member: 843"] No, I understood you perfectly, but it seems I didn't get my point about the link over to you. It doesn't matter that the link is http://, it will still give you an encrypted connection. Now, I'm still going to change the link to https just so that people like you don't get confused over it, but I'll leave it like this for a day or two to let you try it out and see for yourself. http:// or httpS:// doesn't matter on TinyWall's website, everything is over an encrypted connection. MD5 and SHA1 are broken only as cryptographic hashes, but hashes in general have other applications too. You seem to be missing the fact that not all applications of hashes need to have cryptographically secure properties. Verifying download/file integrity is a perfectly valid and safe use even for "broken" hashes like MD5. As a counterexample, yes it would be very bad if MD5 was used as the hash algorithm for passwords or in TinyWall's digital signature, but those are different applications with different demands than the one on the website. You are correct that hosting the hashes on a different server than the downloads (like, here) would improve their security. The problem with that is nobody would know about them and hence nobody would be able to check them, except for the few people coming to this thread. And no I cannot just link it from the download page, because again, if somebody can replace the download, then the link leading to the correct hashes will be also modified by the same attacker. [S]Or I guess I could setup a separate secure fileserver for hosting only the downloads away from the website. Of course you are volunteering for maintenance and bearing the costs.[/S] EDIT: Actually that wouldn't help one bit either because then the attacker would just modify the hashes and the link to the downloads.[S][/S] Please stop obsessing over the MD5/SHA1 on the download page, there is no good reason they need to be SHA-any-big-number. That would be actually worse, because it would give people a false impression of security. If you are really serious about the issue, you should get used to relying on download signatures instead of posted hashes. This is what digital signatures were made for, and there is a reason they exist. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
