downloads getting insecure each day and somebody should do something
-
Hi guys,
Lately as a computer guy i am seing a lot of modifications on aplication files at web. What i mean is using 3 different internet connection with 3 different browsers could bring 5 different md5 or sha checksums.
So i believe somebody need to do something here.
I d like to get comments who could better do this: antivirus, os or browser..My call is a browser with a high security option telling similtaneously download each file i download to make a checksum control and warn me of theres any unmatch, could be real handy.
On the other hand AV vendors are trying to create their own whitelisting mechanisms but to download each file and doing manuel checksum control is starting to be %20 of all the job.
What do you think?
Ozgur -
People have done something about it, but nobody can be bothered to use any of the options.
Until web sites protect them selves from spoofing by using DNSSec and TLS/DANE validation, nothing the browser has or does can guarantee a safe download.
Vivaldi do not protect the site with DNSSec, so yes you can have an encrypted download, but is it really from the real Vivaldi ?
https://dnssec-name-and-shame.com/domain/vivaldi.com
https://dnssec-name-and-shame.com/domain/downloads.vivaldi.comAll browsers could easily have a box in the download requester where you paste the hash from the site you get the file from, but as you cannot see if the site is being spoofed, it solves nothing.
There are several options for automatically including hashes with a clickable web link, but browser vendors can't be bothered until a security issue becomes critical.
Magnet links are only ever used on torrent sites, but are a universal standard that support many URLs/URIs and hash types.
You can have the file protected by including multiple sources and hashes, just like P2P downloads.
https://en.wikipedia.org/wiki/Magnet_URI_schemeMetalinks also support multiple sources, networks and hashes, but are generally mostly just used by open source Linux projects for distributing ISOs
https://en.wikipedia.org/wiki/MetalinkThere is also a proposed standard "Trusted Linker Download Redirection"
https://www.bennish.net/tldr/When the Mint Linux site was distributing from a compromised mirror, anyone that used P2P or the hashes on the main site was protected as the bad ISO would have failed validation.
Anyone using the Firefox browser extension "Download Them All" would have had the option to automatically validate the file with multiple hashes and use multiple sources.
If 1 of the sources was the bad mirror, it would corrupt the file and fail validation.However, as I keep pointing out, all that protection is worthless if you are getting your download via a faked site because the hashes will also be changed, so until all visitors and sites are both using DNSSec and the sites have configured it for validation it is only a partial solution.
Browsers have the ability to check certificates for domain names, but none have the ability to verify the domain is on the correct IP address.
Functionality of TLS/Dane validation needs to be added to browsers or the user has no notification that the DNS or site is being spoofed.
https://www.dnssec-validator.czFor now the best you can do is use 1 of the auto-scanning VirusTotal extensions
https://add0n.com/virus-checker.html
But be warned, VirusTotal is often up to a month behind recognising new malware. -