[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] How to ensure data completeness/integrity for the file do
Re: [Bug-wget] How to ensure data completeness/integrity for the file downloaded using wget
Tue, 28 Jul 2009 11:31:50 -0700
Thunderbird 126.96.36.199 (X11/20090608)
-----BEGIN PGP SIGNED MESSAGE-----
Anthony Bryan wrote:
> as you know, file size has nothing to do with integrity or matching
> checksums, except that you know if the file size is different then the
> checksums can't match...
Untrue; the set of possible files (and their sizes) that match a
particular checksum is infinite. The point is that _finding_ even one
file from that set is supposed to be hard... but it isn't, for
flawed-but-popular checksums (such as MD5). MD5 is only reasonable
assurance of integrity if (a) you also verify the file size (it's
currently still "hard" to match both file size _and_ MD5 sum), or (b)
you discount the possibility of intentional meddling (an attacker).
(But since we're only talking about guarding against transmission
errors, (b) is probably a safe assumption: or if it isn't, then there's
probably nothing you could do about it, since if they can modify the
message they can also modify the checksum.)
> the easiest solution if you're in control of the server would probably
> be to use the Content-MD5 header and a download program that supports
> it. I don't know if wget does; probably not.
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer.
Maintainer of GNU Wget and GNU Teseq
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----