Author Topic: You should be Using SHA256/SHA512 on the Downloads Page  (Read 341 times)

douche

  • Jr. Member
  • **
  • Posts: 95
You should be Using SHA256/SHA512 on the Downloads Page
« on: April 27, 2018, 03:18:59 PM »
MD5 is easily forged with $10K of computer equipment.

Even SHA1 is no longer safe, according to Google:
https://www.infoworld.com/article/3173845/encryption/google-kills-sha-1-with-successful-collision-attack.html

Please list SHA256/SHA512 hashes for each download.

AQUAR

  • Hero Member
  • *****
  • Posts: 1074
Re: You should be Using SHA256/SHA512 on the Downloads Page
« Reply #1 on: April 29, 2018, 12:32:56 PM »
Curious if you ever had some sort of issue with avidemux that a check against a hash string would have avoided?

Not that I am against hash verification or that I think it would be hard to automate the generation of a sha hash for each compile.

 

 
« Last Edit: April 29, 2018, 12:36:29 PM by AQUAR »

eumagga0x2a

  • Hero Member
  • *****
  • Posts: 2123
Re: You should be Using SHA256/SHA512 on the Downloads Page
« Reply #2 on: April 29, 2018, 01:40:30 PM »
Listing cryptographically robust hashes on web pages distributed over HTTP is pointless. The only real improvement would be to use detached GPG signatures (which virtually nobody on Windows will check).


AQUAR

  • Hero Member
  • *****
  • Posts: 1074
Re: You should be Using SHA256/SHA512 on the Downloads Page
« Reply #3 on: May 01, 2018, 01:02:30 PM »
Stating that hashes are pointless over HTTP is just a bit harsh.

When source and hash are coming from the same origin, it does provide extra integrity verification of the data transmitted.

If there is some malicious intrusion over HTTP then that is another story.

That said I never had an issue with fetching nightlies from the official repository.