3

For example the SHA256sum of an Ubuntu ISO image, or an OpenBSD amd64 image. Are there any sites?

It's important that the site must use HTTPS or at least it must provide GPG check for the hashes.

Hendrik Brummermann
  • 27,258
  • 6
  • 81
  • 121
LanceBaynes
  • 6,279
  • 12
  • 63
  • 92
  • Not sure what you are asking here - certainly the ISO file hosts, their mirrors and torrent hosts often provide the hash of the image. Can you clarify the question? – Rory Alsop Sep 21 '11 at 10:21
  • 2
    @RoryAlsop - a trusted independent third party website, with some security features, that lists very many ISO images and their hashes? – DanBeale Sep 21 '11 at 11:57
  • hmmm - can't think why you would want this. Can you clarify why you want to trust another 3rd party, rather than the host and all its mirrors? – Rory Alsop Sep 21 '11 at 12:00
  • 2
    I suppose I can see a potential reason for this. If you have the example of a site distributing software which is compromised by attackers. Assume that the server that has been compromised has the ISO files and the web content on it. If the attacker wants to inject malware to the image the hash would change, so the easy option is to also change the web content to suggest that the new hash is accurate. Having a 3rd party with a list of images and "known good" hashes, could provide an additional check that the software supplied had not been tampered with. – Rory McCune Sep 21 '11 at 12:16
  • Wouldn't the trust model required be just as easy to implement for the original site? Kinda see what you mean though – Rory Alsop Sep 21 '11 at 13:15
  • 1
    I think what he's getting at is directly related to the recent mysql thing. So if you go to the distribution site and some other site to verify that they match...etc – RobotHumans Sep 27 '11 at 17:25
  • Whatever could fool you into accepting a bogus file could also fool the site, no? – David Schwartz Sep 30 '11 at 11:53

4 Answers4

8

The National Software Reference Library is a catalog of valid hashes for OS and application files. This listing can then be used, for example, to validate installed OS files on a system. To quote from their site, "In most cases, NSRL file data is used to eliminate known files, such as operating system and application files, during criminal forensic investigations."

I don't know if it includes Ubuntu or OpenBSD, and their index page looks lost at the moment.

gowenfawr
  • 72,893
  • 17
  • 165
  • 200
  • "The NSRL is investigating downloaded files from websites, by burning the downloads onto CDs that can be stored on our shelves. The digital signatures from these files are not traceable to our level of satisfaction and are not included in the RDS, but are available as they may be of interest to the community. " – woliveirajr Sep 21 '11 at 17:48
  • this is a laugh. it got 7 ups. :D .. did anyone see the linked site? it's full of 404 errors!! there aren't any listings of softwares on it! man! – LanceBaynes Sep 30 '11 at 12:21
  • 1
    The site's crap, the database they provide isn't... it's NIST, you don't really expect them to run a web site competently, do you? – gowenfawr Sep 30 '11 at 13:46
3

To be completely trust-worthy, the hash must be provided by the same person providing the product. In fact, you do not want someone you do not know computing a hash, he may have intention to lie, whereas the provider who don't.

HTTPS is not a requirement. However, if you want to avoid a Man in the Middle attack, where someone could trick you in believing you get the right product with a matching hash, then you need to authenticate the source from where you get the hash. Since this is the validator the integrity of the product, you MUST be able to trust it. For that goal, HTTPS (SSl/TLS) is a mean to achieve authentication. It has the advantage to rely on a known protocol, which get its trust from a chain of certificates. Another way of doing it would be with a digital signature (like GPG sign).

At last, both model are different, but they have a common problem which has to be solved for the trust to exist. YOU must trust someone for doing some job. In the HTTPS case, this would be the Certificate Authority whose root certificate is embedded in your browser, for the GPG it would be the person that gives you the public key of the producer.

M'vy
  • 13,053
  • 3
  • 49
  • 70
3

As gowenfawr noted, the National Software Reference Library is a useful source for this approach. And while there are indeed risks of trusting third-party hashing sites, there are also advantages to having multiple viewpoints, especially for hashes, which can be easily modified if the primary web site is hacked. This is similar to the approach that Convergence takes - see Convergence - an SSL replacement?. If different sites disagree about what a hash should be, that alerts the user to at least check it out more thoroughly.

Community
  • 1
nealmcb
  • 20,783
  • 6
  • 72
  • 117
1

In general the company that delivers the image files are the one that provide the hashes. For example, you'd get the ubuntu one's from any of the ubuntu mirrors.

woliveirajr
  • 4,492
  • 2
  • 18
  • 26