Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 20 Apr 2018, 12:33
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Fellow murga uploaders, let's STOP using MD5/SHA1 ;-/
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [3 Posts]  
Author Message
belham2

Joined: 15 Aug 2016
Posts: 1511

PostPosted: Sun 18 Dec 2016, 05:16    Post subject:  Fellow murga uploaders, let's STOP using MD5/SHA1 ;-/  

http://www.theregister.co.uk/2016/11/10/yahoo_breach_disclosure_analysis/

Look at the above article. It seems Yahoo knew about this breach as early as 2014, and chose to remain quiet (bet their employees sure changed passwords, accounts and/or left to someone more secure). But what is even more ghastly is Yahoo's known reliance on MD5 check sums for "both" file integrity and security checks (notice the paragraph where it discusses Yahoo still using MD5 hash checks).

MD5 & SHA1 are both known to be easily compromised. Could this not be a wakeup call to all puppy OS developers (and offshoots), plus all the package maintainers, here on Murga-Linux? How about a simple move to a minimum of SHA256 or, even better, sha512 check sums for anything uploaded to murga???

I may be wrong, but I've been told that putting sha256 and sha512 sums into ISOs, uploaded files, or whatever, is no harder & takes no more time than putting MD5 or SHA1 sums in. If this is true, it begs the question why is/are MD5/SHA1 sums used by anyone uploading things here?

In fact, if you notice & look around murga, there are a select few murga uploaders who are up to speed with this stuff----all their uploads are either SHA256 and/or SHA512.

Let's make a concerted push here: fellow murga goers, let's get up with the times and STOP using MD5/SHA1 for anything uploaded here whether it is security checks and/or file integrity checks. Start using sha256 or sha512.

Please upvote and/or respond to this thread if you agree (or disagree too---which is curious since a move to SHA256/512, if it actually entails no more effort than MD5/SHA1, is defended).


P.S. And notice that the checksum utilities offered in most pups do all, md5, sha1, sha256, and sha512. The ones that don't, well they are easily modified...I know, I posted in Peebee's threads modifying the checksum in LxPup's with an easy addition of a few lines of code in the script.
Back to top
View user's profile Send private message 
perdido


Joined: 09 Dec 2013
Posts: 779
Location: ¿Altair IV , Just north of Eeyore Junction.?

PostPosted: Sun 18 Dec 2016, 12:10    Post subject:  

Quote:
it begs the question why is/are MD5/SHA1 sums used by anyone uploading things here?


Out of habit mostly.

Not sure exactly what you are referring to, pet files, iso files, home-made files, etc., stuff on other servers, murga only, or everything under the sun?

Most stuff uploaded here has no checksum accountability whatsoever.
I believe there are md5 checksums in pet files,

As far as changing to sha1 or sha256, easy enough for individual packages to include the checksum in a txt but not sure how to automate
that retroactively in files that have built-in md5, or how to change petget utility to handle different checksums.

I will add this to my to-do list for things I posted here.



.

_________________
Giving with an expectation for return brings misery.
Back to top
View user's profile Send private message 
dancytron

Joined: 18 Jul 2012
Posts: 1027

PostPosted: Sun 18 Dec 2016, 17:38    Post subject:  

I don't think it makes any difference when you are just using the checksum for file integrity. There is nothing to crack. Either the file is good or it isn't. There is nothing for anyone to steal. Checksums are more effective in finding file corruption than just checking that the files are the exact same size, otherwise we'd just do that.

It is totally different if it is being used to keep something secret or for a security check, but in the case of uploaded files it isn't.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [3 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0863s ][ Queries: 11 (0.0255s) ][ GZIP on ]