SHA256 and HTTPS for hashes

Wed Oct 14, 2009 8:08 pm

Post by Sontaran »

Hello. I'd like to suggest upgrading from MD5 to SHA256 (or better), for the hash you post for users to verify their files, now that MD5 has been crackable for some time.
Also, I'd like to suggest implementing https for the pages that show the file verification hashes.

Since Mint is the most popular Linux distribution, and has been for a few years, according to Distrowatch, it's probably a bigger target for MITM attacks and other mischief, and these two measures would go a long way to protect users.


Sun Jun 14, 2015 9:00 pm
Location: l’île de Pélops

Re: SHA256 and HTTPS for hashes

Post by C10H20O »

I'd like to suggest implementing https for the pages that show the file verification hashes (..) it's probably a bigger target for MITM attacks and other mischief
It's more presumable that the host itself will be the target and the file (including the checksum) will be compromised.

Take a look at a mirror's directory listing:

There you will find

Code: Select all

sha256sum.txt                                      07-Apr-2015 14:27                2493
sha256sum.txt.gpg                                  07-Apr-2015 14:34                 198
First of all,
take care about your gpg configuration.
A good starting point would be perhaps ... -practices
and it's file ... g/gpg.conf

Code: Select all


Then investigate the signature

Code: Select all

gpg --list-packets --verbose sha256sum.txt.gpg
The output looks like

Code: Select all

gpg: armor header: Version: GnuPG v1.4.12 (GNU/Linux)
:signature packet: algo 17, keyid 3EE67F3D0FF405B2
	version 4, created 1428416355, md5len 0, sigclass 0x00
	digest algo 2, begin of digest 79 92
	hashed subpkt 2 len 4 (sig created 2015-04-07)
	subpkt 16 len 8 (issuer key ID 3EE67F3D0FF405B2)
	data: [159 bits]
	data: [159 bits]
It's time to get the signer's key in a proper way (look gpg.conf above):

Code: Select all

gpg --search-keys 3EE67F3D0FF405B2
It shows me

Code: Select all

gpg: searching for "3EE67F3D0FF405B2" from hkps server
(1)	Clement Lefebvre (Linux Mint Package Repository v1) <
	  1024 bit DSA key 0x3EE67F3D0FF405B2, created: 2009-04-29
You can look for more information on: ... n&exact=on

Code: Select all

pub  1024D/0FF405B2 2009-04-29            
	 Fingerprint=E1A3 8B8F 1446 75D0 60EA  666F 3EE6 7F3D 0FF4 05B2 

uid Clement Lefebvre (Linux Mint Package Repository v1) <>
sig  sig3  0FF405B2 2009-04-29 __________ __________ [selfsig]
sig  sig   AD11CBEE 2010-03-17 __________ __________ Steven Hancock <>
sig  sig   B8F07507 2014-03-16 __________ __________ Tobias Loose <>
sig  sig   D068D42F 2014-12-08 __________ __________ Corey Sheldon (fedoraproject --default key) <>

sub  2048g/0F346519 2009-04-29            
sig sbind  0FF405B2 2009-04-29 __________ __________ []
And there it is:
A frightening ugly public key

Only three people signed the key.
Only one of these signers is doing something for his web of trust (Tobias Loose).

No one of the team members are related to it.

It's a strange fact for the most popular distribution.
It's sad that none of the support-team answered to this thread yet!

There are six different public keys for "Clement Lefebvre".
Neither signed nor revoked

Here are some examples to learn from: ... ex.en.html

And if you want to launch a TLS based website,
you can get a level 1 certificate for free: ... r/startssl

And please, secure your server:
Tue Jul 06, 2010 12:50 am
Location: India

Re: SHA256 and HTTPS for hashes

Post by badbodh »

nice way to advertise unrelated stuff here
