Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: victor43 on December 10, 2009, 06:52:20 PM
-
Can anyone provide the MD5 value for the above download ? I only wish to ensure my download has not been corrupted.
Thanks in advance
Victor
-
d4d9b0665f19de9d41fd16f33cb065bd
-
The installers are digitally signed - so just invoke Properties of that file, switch to "Digital Signatures" page, select the signature and click Details - it will be verified.
If the page Digital Signatures wasn't there, then the file would indeed be corrupted.
-
The installers are digitally signed - so just invoke Properties of that file, switch to "Digital Signatures" page, select the signature and click Details - it will be verified.
If the page Digital Signatures wasn't there, then the file would indeed be corrupted.
yeah OK but some would prefer an MD5 displayed on the web site first, just in case the sig would be tampered on its way to the PC, which can hardly happen I admit .... well it's got to happen sometimes somehow otherwise software providers wouldn't bother giving an MD5 online...
-
You can't tamper with the digital signature - that's why it's a signature (or, it's about as likely as that somebody would create a tampered package with the same MD5 as the original - and probably even less likely than somebody hacking the server, replacing the package - and updating the displayed hash as well).
-
It probably won't be long before someone leverages the research into MD5 collisions to create a hacked package that has the same MD5 hash as the official package. It's already possible to create a pair of non-identical files having the same MD5 hash. http://www.mscs.dal.ca/~selinger/md5collision/ ; http://www.win.tue.nl/hashclash/SoftIntCodeSign/ . In these attacks, both files must contain significant specially-crafted common data, which makes it nontrivial for an attacker to create a hacked package bearing the same signature as the official one. But I suspect it won't be long before someone succeeds at this.
BTW, Authenticode will *not* be immune to this attack, because it supports MD5-based signatures. http://blog.didierstevens.com/2009/01/17/playing-with-authenticode-and-md5-collisions/. Fortunately, though, Authenticode uses SHA1 by default, so the attack will work only if the official package is (unwisely) signed using MD5. I've never seen such a package.
The upshot? Rely on the Authenticode signature. It's at least as secure -- and almost certainly far more secure -- than using a side-posted MD5 hash.
-
thanks ZeroSpam, interesting post ;) ...so I guess posting an MD5 has become useless these days :'( ;D
-
...so I guess posting an MD5 has become useless these days :'( ;D
Not necessarily, some still do, if not only for the purpose of quickly checking for a full, uncorrupted download. (which incedently, was the reason that it was asked for ;))
-
thanks ZeroSpam, interesting post ;) ...so I guess posting an MD5 has become useless these days :'( ;D
Probably should use at least 3 types of compatible checksum to ensure security, including MD5, SHA-1, or digital signature ~
-
they could even use higher sha checksums, like 256 or 512, as those programs like avast are pretty small in size and fast to verify.
-
It might be recommended as one of the checksum, depending on the security requirement. However, probably not convenient for general user to find compatible software on download site ~
-
Thanks micky77 to all other posters. Victor.