downloads getting insecure each day and somebody should do something

  • Hi guys,

    Lately as a computer guy i am seing a lot of modifications on aplication files at web. What i mean is using 3 different internet connection with 3 different browsers could bring 5 different md5 or sha checksums.
    So i believe somebody need to do something here.
    I d like to get comments who could better do this: antivirus, os or browser..

    My call is a browser with a high security option telling similtaneously download each file i download to make a checksum control and warn me of theres any unmatch, could be real handy.

    On the other hand AV vendors are trying to create their own whitelisting mechanisms but to download each file and doing manuel checksum control is starting to be %20 of all the job.

    What do you think?

  • Moderator

    The use of SSL connections for downloads is really a must as files could be changed by man-in-the-middle f.ex. proxies, ISPs.

    An other problem is that the browser does not know where he could get trusted SHA checksums. MD5 (deprecated!) is never trusted as you can create easily same checksums for different files.

    The only way to check correct downloads is to have signed files from developers with OpenPGP (GnuPG, PGP) signature or X509 software certificate.

    A antivirus or desktop firewall can check against known hashes in the cloud.

    But implementing download security in browser is not easy.

    I would prefer to rely on trusted antivirus and manual SHA checksum/OpenPGP/Software certificate checks.

  • Vivaldi Translator

    People have done something about it, but nobody can be bothered to use any of the options.

    Until web sites protect them selves from spoofing by using DNSSec and TLS/DANE validation, nothing the browser has or does can guarantee a safe download.
    Vivaldi do not protect the site with DNSSec, so yes you can have an encrypted download, but is it really from the real Vivaldi ?

    All browsers could easily have a box in the download requester where you paste the hash from the site you get the file from, but as you cannot see if the site is being spoofed, it solves nothing.

    There are several options for automatically including hashes with a clickable web link, but browser vendors can't be bothered until a security issue becomes critical.
    Magnet links are only ever used on torrent sites, but are a universal standard that support many URLs/URIs and hash types.
    You can have the file protected by including multiple sources and hashes, just like P2P downloads.

    Metalinks also support multiple sources, networks and hashes, but are generally mostly just used by open source Linux projects for distributing ISOs

    There is also a proposed standard "Trusted Linker Download Redirection"

    When the Mint Linux site was distributing from a compromised mirror, anyone that used P2P or the hashes on the main site was protected as the bad ISO would have failed validation.
    Anyone using the Firefox browser extension "Download Them All" would have had the option to automatically validate the file with multiple hashes and use multiple sources.
    If 1 of the sources was the bad mirror, it would corrupt the file and fail validation.

    However, as I keep pointing out, all that protection is worthless if you are getting your download via a faked site because the hashes will also be changed, so until all visitors and sites are both using DNSSec and the sites have configured it for validation it is only a partial solution.
    Browsers have the ability to check certificates for domain names, but none have the ability to verify the domain is on the correct IP address.
    Functionality of TLS/Dane validation needs to be added to browsers or the user has no notification that the DNS or site is being spoofed.

    For now the best you can do is use 1 of the auto-scanning VirusTotal extensions
    But be warned, VirusTotal is often up to a month behind recognising new malware.

Log in to reply

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.