I noticed that people tend to upload checksums even when the download is configured to use secure connection. For example, GitHub redirects all traffic to HTTPS, but the SHA sums are nevertheless provided. https://github.com/prometheus/node_exporter/releases/tag/v0.18.1 Isn't this entirely superfluous?
Asked
Active
Viewed 40 times
0
-
Related: https://superuser.com/q/849845/219095 – Daniel B Jan 27 '20 at 13:04
-
SHA256 is secure today but it might not be secure tomorrow. SHA1 isn't secure today. MD5 was secure yesterday until it wasn't. MD5 can still safety be used to verify the checksum of a file it just can't be used to hash a password. SHA being superfluous entirely depends on what it's be used for. – Ramhound Jan 27 '20 at 15:23
2 Answers
2
Checksums can be used to verify that a file downloaded correctly, but they can also be used to verify that the file downloaded from mirrors or third-party sites outside the authors control are hosting the correct and unmodified file. As such it is used to verify that the file has not been tampered with.
Whether or not it is "superfluous" depends on what the use case.
Mokubai
- 89,133
- 25
- 207
- 233
0
A checksum enables you to verify that a file is "intact". A file might not just become damaged by malicious modification but might also simply be "damaged" by faulty hardware, a short connection outage, a bit flip or security software that tampers with it. Which are things that are not covered by SSL/TLS.
Seth
- 9,000
- 1
- 19
- 34