You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@felix.apache.org by "Olaf Kock (JIRA)" <ji...@apache.org> on 2008/12/21 17:20:44 UTC

[jira] Commented: (FELIX-726) MD5 checksum handling issue with Felix download pages/mirrors

    [ https://issues.apache.org/jira/browse/FELIX-726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12658394#action_12658394 ] 

Olaf Kock commented on FELIX-726:
---------------------------------

Is there anything I can do in order to raise sensitivity for this issue? It's basically opening felix downloads to compromized servers - not that it will over all stay undetected, but linking the MD5 sums to the mirror servers does enable attackers to compromize a mirror server, provide their own changed version of felix together with their own MD5 checksum.

It's not that much a change - the download links would just need to point to the apache site instead of the mirrors for the MD5sums. Or get rid of MD5 completely and just use kryptographic signatures (asc), though these are probably not as easy to handle for everybody and thus this would lower security again...

> MD5 checksum handling issue with Felix download pages/mirrors
> -------------------------------------------------------------
>
>                 Key: FELIX-726
>                 URL: https://issues.apache.org/jira/browse/FELIX-726
>             Project: Felix
>          Issue Type: Bug
>         Environment: http://felix.apache.org/site/downloads.cgi
>            Reporter: Olaf Kock
>
> Hi there,
> I understand MD5 checksums as means to detect if the file that I've just downloaded is a) complete and b) the one I expected to download. While I never check a) unless I get an error unpacking, b) is very important.
> As Apache is relying heavily on mirrors, I'd like to have to trust Apache but I can't trust every mirror server. As the MD5 sums that are linked on the download server point to the mirrors themselves, this is of no value. I'd rather like them to point to the central Apache server. The few bytes for the checksums shouldn't matter much.
> Compromised mirrors would make it easy to exchange the downloaded file together with their MD5 sum - this would be somewhat more difficult to discover than getting the MD5 from an authoritative source.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.