/tech/ - Technology★

Because you don't check the sums anyway

You'd better ask why developers don't add PGP signatures to distributed binaries.

(((Oracle)))

found your problem

Because it works and you're stupid.

speed. if i want to just check that a file downloaded or transferred correctly and the site or it's just a disk to disk transfer and I know it's already good and i don't want to waste the additional 0.5s that better hashing algo's will take.

>>833869

b-but the NSA is watching muh HTTP request to gayfaggot.com with billions of servers just waiting to collide the hash!!!

>>833871

Yes, they really are fucking waiting to do that if you are a target of interest.

>>833871

Don't be silly, that will only happen if you use (((https)))

Because companies host their stuff on their own website.

If the sha256 hash and the content associated come from the same source (same server), the hash is only good for error checking.

>>833739 (OP)

Do you think the NSA can really patch in a backdoor and add enough filler to dupe the MD5 code and keep the file size small enough so that you won't notice?

>>833903

If it's something many people access and do so often, then yes. Like say for example, the linux kernel source code tarballs. Or certain gentoo or arch packages of importance. Use your imagination.

>>833886

>implying they do not already have all recent unique content seen on HTTP already cached and cracking

>>833890

Well fucking duh. You're supposed to verify with other sources that the hash is correct.

>>833913

If everyone else got the faked file, how do you ever know it is correct?

>>833910

>implying they don't already have all content, http or https, cached and being cracked

they don't, it is a crack on demand thing. Not needed for http obviously.

>>833920

>how do you ever know it is correct?

Because theoretically they'd find out at some point if the file is bad. If someone's reported hash from 6 months ago matches yours, you're probably fine.

>>833739 (OP)

why do companies still have XSS vulns?

why do companies still have SQLi?

why do companies still have RCE?

why do companies still use web?

why do companies be SJW?

why do companies recall 500 products a year?

why do companies run outdated software and software with bad reputations?

why do companies make IoT?

wait if you got a file from a site there's literally no point in it providing a hash unless you have some piece of shit HDD. it either uses HTTP, in which case MiTM can just replace the hash, or HTTPS, in which case the file integrity is already "assured" by HTTPS, and having the hash there provides no extra protection. you should be using something proper like OpenPGP anyway

>>833829

This

You can use MD5 if it's PGP signed there's nothing to worry about.

>>833770

but I do

>>833829

this is a bit more work to check

>>833847

they have sha256 sums for VirtualBox and Java, though

>>833888

lolwat?

are you implying that (((https))) is less safe than (((http)))?

>>833890

if the hash is served over https and the content over http, then it's more than regular error checking.

>>833829

For a firmware updater I wrote, I get hashes over https then download the firmware unencrypted (it's fairly large, about 160MiB). GnuPG would be a bad idea as it's a lot of bloat to have to install on a system, there's a lot of additional complexity in handling all that and maintaining trust, it requires a different set of credentials than everything else, and it requires clock synchronization for proper trust which isn't practical as many networks block NTP (yes I know they shouldn't).

>>833949

> proper like OpenPGP anyway

... which is used to sign the checksums.

>>834004

>many networks block NTP

WAT

any proofs on that?

>>833739 (OP)

>reeee don't use MD5 anymore

Triggered much? MD5 works fine for checking file integrity. No need to use SHA256 for that. You seem to have the newer == better mentality. You're not right friend.

>>833869

>what is blake2

I'll tell you what it is: superior to MD5 in literally every way

>>834021

I am proofs. I've been building networking devices for two decades and I'm telling you what I run into.

>>834102

Which ports are commonly open besides 443 and 80?

>>834465

The issue isn't inbound blocking, it's outbound/session blocking. Even when traffic originates inside the network, the replies are thrown out. NTP is the first that caused me trouble as more retards started tinkering with firewalling, but now major websites are often blocking ICMP unreach replies /to their own traffic/. Zendesk does this, for example.

>>834472

So in this case which ports are safer to use for traffic that must go in both directions and besides 443 and 80?

>>834579

I really don't understand what you mean. Safer in what way? What is it that you're trying to do?

>>834589

safer = less likely to be blocked in a random oppressive network.

>>834589

and I'm trying to do somewhat censor proof tunnel, but it must not use 443 or 80 ports because (reasons)

>>834606

Oh, what you want is to have a rendezvous outside of the network. Like a STUN server or whatnot - you can reuse whatever anti-NAT tech you prefer. Then establish the connection out and listen on the remote for connections so you don't have to deal with firewalls/IDS blocking incoming.

The VPN service I built for my company uses EC2 boxes for this (I have them connect their branch offices via cellular which are a shitshow for incoming), but be aware that IPs on cloud services are heavily abused and you'll have to deal with being blocked by many websites.