[jitsi-dev] Hello


#1

Can you please provide a SHA256, SHA1 or MD5 for your executables on the
website.... to verify the download...


#2

Adeel Malik:

Can you please provide a SHA256, SHA1 or MD5 for your executables on the
website.... to verify the download...

I'd second the desire for verifiable downloads. However plain checksums don't
provide any security because any attacker can also provide false checksums.
GPG signatures are the standard, secure way to sign artifacts.

Regards,

Thomas Koch, http://www.koch.ro


#3

Hey folks,

We haven't discussed this so far but we'll definitely think about it.

I suppose https download would also do though, right?

Emil

-- sent from my mobile

ยทยทยท

On Dec 31, 2011 1:11 PM, "Thomas Koch" <thomas@koch.ro> wrote:

Adeel Malik:
> Can you please provide a SHA256, SHA1 or MD5 for your executables on the
> website.... to verify the download...
I'd second the desire for verifiable downloads. However plain checksums
don't
provide any security because any attacker can also provide false checksums.
GPG signatures are the standard, secure way to sign artifacts.

Regards,

Thomas Koch, http://www.koch.ro


#4

Emil Ivov:

Hey folks,

We haven't discussed this so far but we'll definitely think about it.

I suppose https download would also do though, right?

Emil

Hi Emil,

https downloads are of course an improvement but a really small one and I'm
concerned about any measurement that provides a false sense of security which
isn't waranted.
An attacker that can hack the projects web server could serve https "verified"
artifacts if https would be the only measurement. And https is flawed to begin
with. It's no problem for a government to get false SSL certificates.

HTTPS only verifies the artifact in the moment you download it from the
original web page, not if it is mirrored or lays on your hard disk. But a gpg
signature can be mirrored together with the artifact and can be verified at
any time.

Do download managers verify SSL?

There'll be the keysigning party at Fosdem! :slight_smile:

Thank you for taking your time for security!

By the way: Git has security built in via GPG signed tags.

Best regards,

Thomas Koch, http://www.koch.ro