You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jim Jagielski <ji...@jaguNET.com> on 2017/02/24 17:52:09 UTC
SHA-256
I think we should start, in addition to "signing" w/ md5 and sha-1,
using sha-256 as well.
Sound OK?
Re: SHA-256
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Fri, Feb 24, 2017 at 11:59 PM, Helmut K. C. Tessarek
<te...@evermeet.cx> wrote:
>
> On 2017-02-24 23:45, William A Rowe Jr wrote:
>
>> We provide .asc pgp signatures exclusively for that purpose.
>
> I agree, gpg is the only way to check the authenticity of a file.
>
> However, people who use hashes to do this (for reasons I previously
> mentioned) are in a lot safer spot, because it's most likely impossible
> for an adversary to create a collision.
There is no need to generate a collision.
If evilmirror.net/httpd/ fools users into thinking the .sha256 files on their
site are legitimate, or if there is an MITM DNS spoof of www.apache.org,
the faux-httpd-2.4.25.tar.gz.sha256 file is simply replaced with a hash
result that matches the file.
Our official downloads.html page links https://www.apache.org/dist/httpd/
files for all PGP sigs and hashes, but that presumes the user steps
through the website in the typical way.
"People who use hashes to do this" are not doing themselves favors.
Re: SHA-256
Posted by "Helmut K. C. Tessarek" <te...@evermeet.cx>.
Thank you for the response.
On 2017-02-24 23:45, William A Rowe Jr wrote:
> They are useful for file completeness/error checking only. I'd agree
> there is zero purpose in retaining SHA1 when SHA256 is in place.
Unfortunately a lot of people do not know this. They compare the hashes
instead, either because they don't understand the background, don't have
gpg installed, or think checking the hashes is the same as verifying a
signature.
> And SHA256 is a means to authenticate how, exactly?
>
> We provide .asc pgp signatures exclusively for that purpose.
I agree, gpg is the only way to check the authenticity of a file.
However, people who use hashes to do this (for reasons I previously
mentioned) are in a lot safer spot, because it's most likely impossible
for an adversary to create a collision.
I just didn't understand why there would be a reason for other hashes,
if there was as sha-256 hash available. Even on legacy systems I've seen
implementations for sha256.
Thanks again for your answer.
Cheers,
K. C.
--
regards Helmut K. C. Tessarek
lookup http://pool.sks-keyservers.net for KeyID 0xC11F128D
/*
Thou shalt not follow the NULL pointer for chaos and madness
await thee at its end.
*/
Re: SHA-256
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Fri, Feb 24, 2017 at 2:30 PM, Helmut K. C. Tessarek
<te...@evermeet.cx> wrote:
> On 2017-02-24 12:52, Jim Jagielski wrote:
>> I think we should start, in addition to "signing" w/ md5 and sha-1,
>> using sha-256 as well.
>
> I have a question: why are you still using md5/sha1 for generating file
> hashes in the first place?
>
> Noone with knowledge of hashing algos would use these hashes to validate
> a file's authenticity.
Uhm, noone uses hashes to validate authenticity unless they are transmitted
through an entirely distinct channel. E.g. not your internet connection.
They are useful for file completeness/error checking only. I'd agree there is
zero purpose in retaining SHA1 when SHA256 is in place. MD5 has the one
distinction of being ubiquitous even on ancient OS's.
> Bottom line is that you lull people into a false sense of security by
> providing md5/sha1 hashes. People, who don't know that these algorithms
> have been broken already, might think that they are safe (by checking
> the file against the md5 hash) while in reality they are not.
And SHA256 is a means to authenticate how, exactly?
We provide .asc pgp signatures exclusively for that purpose.
Re: SHA-256
Posted by "Helmut K. C. Tessarek" <te...@evermeet.cx>.
On 2017-02-24 12:52, Jim Jagielski wrote:
> I think we should start, in addition to "signing" w/ md5 and sha-1,
> using sha-256 as well.
I have a question: why are you still using md5/sha1 for generating file
hashes in the first place?
Noone with knowledge of hashing algos would use these hashes to validate
a file's authenticity.
Bottom line is that you lull people into a false sense of security by
providing md5/sha1 hashes. People, who don't know that these algorithms
have been broken already, might think that they are safe (by checking
the file against the md5 hash) while in reality they are not.
Cheers,
K. C.
--
regards Helmut K. C. Tessarek
lookup http://pool.sks-keyservers.net for KeyID 0xC11F128D
/*
Thou shalt not follow the NULL pointer for chaos and madness
await thee at its end.
*/
Re: SHA-256
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
On 24 Feb 2017, at 18:52, Jim Jagielski <ji...@jaguNET.com> wrote:
>
> I think we should start, in addition to "signing" w/ md5 and sha-1,
> using sha-256 as well.
>
> Sound OK?
That seems to match the advice of NIST, E-CRYPT and the BSI on
https://www.nrc.nl/nieuws/2017/02/24/zelfrijdende-auto-google-uber-stal-onze-robotauto-6964363-a1547533 <https://www.nrc.nl/nieuws/2017/02/24/zelfrijdende-auto-google-uber-stal-onze-robotauto-6964363-a1547533>
none of which seems that eager to push us to 385 or 512 for the next 4 years.
Though if we are updating the scripts - perhaps add sha-512 - just to ‘socialize’ it early.
Dw.
Re: SHA-256
Posted by Jacob Champion <ch...@gmail.com>.
On 02/24/2017 10:02 AM, Yann Ylavic wrote:
> Our "true" signing has and will always be PGP.
> Though SHA-256 is often asked by users@, so,
> +1
+1
--Jacob
Re: SHA-256
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Fri, Feb 24, 2017 at 12:02 PM, Yann Ylavic <yl...@gmail.com> wrote:
> On Fri, Feb 24, 2017 at 6:52 PM, Jim Jagielski <ji...@jagunet.com> wrote:
>> I think we should start, in addition to "signing" w/ md5 and sha-1,
>> using sha-256 as well.
>>
>> Sound OK?
>
> Our "true" signing has and will always be PGP.
> Though SHA-256 is often asked by users@, so,
> +1
+1 to adding SHA-256, +/-0 for SHA-512 at this point in time.
With that change, +1 to removing SHA-1, and +/-0 to retaining MD5.
One modern sha hash is sufficient to verify the transmission,
and these hashes may only be used for that purpose. I'm ok with
retaining MD5 simply because a tiny number of downloaders will
have no SHA hash validation tool at hand. It's still sufficient to check
that the download was not corrupted.
If we dig through our site and delete all references to 'signature'
with respect to any hashes, how do we refer to these. This is what
autoindex reports from www.a.o/dist/...
httpd-2.2.32.tar.bz2.asc 2017-01-12 18:38 801 PGP signature
httpd-2.2.32.tar.bz2.md5 2017-01-12 18:38 55 MD5 hash
Good there, no claim that this is a signature.
In the corresponding README in /dist/httpd, we state
"We offer MD5 hashes as an alternative to validate the integrity of
the downloaded files. A unix program called md5 or md5sum is included
in many unix distributions. It is also available as part of GNU
Textutils. Windows users can get binary md5 programs from here, here,
or here."
That message should be split out from 'PGP Signatures' and then
we can add the openssl command line syntax for sha validation.
There are other issues with downloads.html which I'm working up
a patch for already, but let's go ahead and do this. We made little
mention of .sha1 in our docs, so replacing these with .sha256 is
a no-brainer.
Re: SHA-256
Posted by Yann Ylavic <yl...@gmail.com>.
On Fri, Feb 24, 2017 at 6:52 PM, Jim Jagielski <ji...@jagunet.com> wrote:
> I think we should start, in addition to "signing" w/ md5 and sha-1,
> using sha-256 as well.
>
> Sound OK?
Our "true" signing has and will always be PGP.
Though SHA-256 is often asked by users@, so,
+1