[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] How to ensure data completeness/integrity for the file do
|
From: |
Micah Cowan |
|
Subject: |
Re: [Bug-wget] How to ensure data completeness/integrity for the file downloaded using wget |
|
Date: |
Tue, 28 Jul 2009 11:31:50 -0700 |
|
User-agent: |
Thunderbird 2.0.0.22 (X11/20090608) |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Anthony Bryan wrote:
> as you know, file size has nothing to do with integrity or matching
> checksums, except that you know if the file size is different then the
> checksums can't match...
Untrue; the set of possible files (and their sizes) that match a
particular checksum is infinite. The point is that _finding_ even one
file from that set is supposed to be hard... but it isn't, for
flawed-but-popular checksums (such as MD5). MD5 is only reasonable
assurance of integrity if (a) you also verify the file size (it's
currently still "hard" to match both file size _and_ MD5 sum), or (b)
you discount the possibility of intentional meddling (an attacker).
(But since we're only talking about guarding against transmission
errors, (b) is probably a safe assumption: or if it isn't, then there's
probably nothing you could do about it, since if they can modify the
message they can also modify the checksum.)
> the easiest solution if you're in control of the server would probably
> be to use the Content-MD5 header and a download program that supports
> it. I don't know if wget does; probably not.
Not currently.
- --
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer.
Maintainer of GNU Wget and GNU Teseq
http://micah.cowan.name/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkpvRBUACgkQ7M8hyUobTrGTKQCbBty9+FUQqnFj13DnmqEcZWdS
UDMAn0NgoILX9QCfITJ+/6nh7lr7CpPe
=gHMs
-----END PGP SIGNATURE-----