Checksum of current yacy installation file version

Forum for developers

Checksum of current yacy installation file version

Beitragvon Checksum » Di Dez 06, 2016 11:24 pm

In order to be sure not to install a trojan horse by installing yacy,
a text file should be added at the download link
indicating the checksums of at least three checksums (like sha256, sha1 and md5).

The effort for adding this security feature would be very small.

More security:
Additionally the download server should be a https server.
Free https certificates are available at several hosts (e. g. novatrend.ch)

When can we expect the checksum text file on the download page?
Checksum
 
Beiträge: 1
Registriert: Di Dez 06, 2016 11:02 pm

Re: Checksum of current yacy installation file version

Beitragvon biolizard89 » Mi Dez 07, 2016 2:41 am

Checksum hat geschrieben:In order to be sure not to install a trojan horse by installing yacy,
a text file should be added at the download link
indicating the checksums


It's not clear to me that adding unsigned hashes to the YaCy website (which doesn't have TLS) would be useful; anyone doing a MITM attack could change the hashes just as easily as changing the download binaries.

Enabling TLS on the YaCy website would be a much more important improvement; signing the downloads with PGP would also be useful (though less important than TLS).

Checksum hat geschrieben:of at least three checksums (like sha256, sha1 and md5).


SHA1 and MD5 have been known to be insecure for years. If you want to get some insurance against SHA2 being broken in the future, SHA3 would make sense.

Checksum hat geschrieben:More security:
Additionally the download server should be a https server.
Free https certificates are available at several hosts (e. g. novatrend.ch)


Let's Encrypt is an excellent gratis CA, and last I heard they're libre too.
biolizard89
 
Beiträge: 59
Registriert: Do Jan 03, 2013 12:42 am


Zurück zu YaCy Coding & Architecture

Wer ist online?

Mitglieder in diesem Forum: 0 Mitglieder und 1 Gast