Women in Technology

Hear us Roar

  Avoiding Trojans and Rootkits
Subject:   MD5 vs. PGP
Date:   2003-03-07 03:41:20
From:   anonymous2
You use an example of an ftp site with some files on it, and a file containing checksums to verify the integrity of these files. Let's presume the site in question has been hacked, and the software trojaned - it wouldn't take much for the attacker to modify the file containing MD5 sums to reflect the checksums on his modified version of the tarballs, etc.

In this instance I believe verifying PGP signatures would be a lot more reliable. For example, ftp.kernel.org does this with its files. There is a helpful document on this here: http://www.kernel.org/signature.html

Full Threads Newest First

Showing messages 1 through 1 of 1.

  • MD5 vs. PGP
    2003-12-11 09:33:26  anonymous2 [View]

    yes you are true about pgp over md5, and following one post above users should be instructed to use it that way, or md5ing from different hosts will raise +1 the security level checked.

    But freebsd.org does the same as kernel.org, what happens is that its impossivel to use pgp right now on all ports since its a matter of "vendors" and third party to provide that feature and not freebsd as the OS.
    Freebsd does that for in house productions like the SAs, same applied by default by the CVS structure on src and ports tree. If you pay a close attention theres a pgp signature following each SA released and theres an asc file following each patch released

    we arent any different..