On 26.12.2016 13:12, NicoHood wrote:
So we needed to verify the source otherwise. But there was no real option as md5/sha1 is broken
I fully agree that using stronger hashes is generally a good idea, but please stop being ridiculous.
and his internet is too slow to download it again via torrent.
If you put your file at the location where the torrent client downloads the file to, it will detect this and check the existing file contents. Also, you know that torrent also uses SHA1 hashes internally, right?
The ArchLinux website connects via https. His mirror that he used did not (http or ftp).
https or not, the mirror admin has full control and can easily change the files. Please stop being pedantic and look at the bigger picture. Then you'd also see that it's much easier for an attacker to target our website and change the hashes there than trying to find an md5/sha1/filesize collision and then getting that file to you via one/all of our mirrors without having access to our servers. There are many trade offs and attack vectors when it comes to security. Don't focus on a single one. You could have improved a lot with all the dedication and time you put into these discussions if you worked on other things with more impact. Florian