[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] How to ensure data completeness/integrity for the file do

From: Micah Cowan
Subject: Re: [Bug-wget] How to ensure data completeness/integrity for the file downloaded using wget
Date: Tue, 28 Jul 2009 11:31:50 -0700
User-agent: Thunderbird (X11/20090608)

Hash: SHA1

Anthony Bryan wrote:
> as you know, file size has nothing to do with integrity or matching
> checksums, except that you know if the file size is different then the
> checksums can't match...

Untrue; the set of possible files (and their sizes) that match a
particular checksum is infinite. The point is that _finding_ even one
file from that set is supposed to be hard... but it isn't, for
flawed-but-popular checksums (such as MD5). MD5 is only reasonable
assurance of integrity if (a) you also verify the file size (it's
currently still "hard" to match both file size _and_ MD5 sum), or (b)
you discount the possibility of intentional meddling (an attacker).

(But since we're only talking about guarding against transmission
errors, (b) is probably a safe assumption: or if it isn't, then there's
probably nothing you could do about it, since if they can modify the
message they can also modify the checksum.)

> the easiest solution if you're in control of the server would probably
> be to use the Content-MD5 header and a download program that supports
> it. I don't know if wget does; probably not.

Not currently.

- --
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer.
Maintainer of GNU Wget and GNU Teseq
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


reply via email to

[Prev in Thread] Current Thread [Next in Thread]