4

Update: A version of transmission that contains malware has been distributed very recently. Quoting this ars technica article:

It appears that somehow the Transmission website may have been compromised as it was served via HTTP rather than the primary HTTPS Transmission


Original question


I want to download the transmission bittorrent application for mac, from here. There is a sha1 checksum on that page if you mouseover the link to the .dmg file link, but as the page is not served over https, I cannot tell if this is authentic. My main concern is a man in the middle attack (to corrupt the data). The fact that https is not used seems silly, because another page on their domain can establish a secure connection with a signed certificate.

I wonder if I am missing something, though this Q&A seems to agree with me. I would also like to know if there is a method to still find out if a file is authentic in a scenario like this, or in my particular case.

Community
  • 1
Matheor
  • 51
  • 4
  • 2
    What you want is a digital signature for the download signed with the developers private key. – puzzlepalace Feb 26 '16 at 20:55
  • @puzzlepalace I have no experience with that. Unfortunately I could not find their public key after a short visit to google, which I am guessing I will need (to find manually). – Matheor Feb 26 '16 at 21:04
  • @puzzlepalace It appears the public key listed under details of the certificate used to connect to securely connect to another site of their domain is in fact their own key. So I guess now I have to look for some kind of signature in the download itself.. – Matheor Feb 26 '16 at 21:38
  • The digital signature would be provided on the page and would not (hopefully) be related to the certificates key. Unfortunately it looks like in this case there is no digital signature provided by the developer, which you can't do anything about, so you'll have to take your chances. Since you stated `I would also like to know if there is a method to still find out if a file is authentic in a scenario like this` I mentioned digital signatures as this the standard approach. – puzzlepalace Feb 27 '16 at 01:49

2 Answers2

9

Getting reliable checksums

The checksum itself is reliable for what it should be used. But your expectation is wrong.

The purpose of the given hash if not to check against attacks but for inadvertent file corruption (bit flips, missing ends...). It can not be used for authenticity since both the hash and the file are served by the same site and a hacker could simply replace both when hacking the site. For checking authenticity you would need a digital signature signed by the author and not a simple hash.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    This seems to correspond to your answer [here](http://security.stackexchange.com/a/107815/102709). You say: "For checking authenticity you would need a digital signature signed by the author and not a simple hash." Do you not agree that a combination of SSL and a secure hash could provide secure way of preventing MitM attacks, even if that is apparently not the preferred method? Also the site does not need to be "hacked" (i.e. no files replaced on the server etc) for a MitM attack to happen right? Somebody on my network could be pretending to be the site, etc. – Matheor Feb 26 '16 at 21:25
  • 2
    @Matheor: if you have https then you don't need the hash at all to check against MITM, since any modification done with MITM will already be detected by https itself. That's why the hash is only for inadvertent corruption. – Steffen Ullrich Feb 26 '16 at 21:40
  • Ok, then I think I understand you. In the scenario of "a combination of SSL and a secure hash" (and a cert) I was thinking that the file might be served using http, to save overhead. Then a MitM could still tamper with that file, but not with the hash, so that the file could be verified after download. – Matheor Feb 26 '16 at 21:48
  • 4
    @Matheor: yes, if the download is done with HTTP but the hash is served with HTTPS then the hash could be used to check against corruption caused by MITM. It still cannot be used to protect against a hacked server with both modified hash and modified download. – Steffen Ullrich Feb 26 '16 at 21:54
1

The SHA-1 hash is probably not there for integrity, but because in BitTorrent files are indexed by hashes. I suppose that people who want to download that BitTorrent client may be already using a competing implementation and might like to get the new one through BitTorrent.

If you try to connect to the download page through HTTPS, it redirect you to the HTTP download page. The same happens if you use the direct URL to the file (with an https:// prefix). This looks like a misconfiguration to me. Maybe they intend to support SSL, but fumbled. Maybe they fear the "obvious high cost" of SSL (without having actually measured it). Maybe they consider that if you are going to use BitTorrent you must already be prepared to download and use shady things.

You could use the hash value in search requests on Google, to see if you can locate a "trusted" location that lists the hash and guarantees in some way that it is the right one. In this case, it does not yield much interesting results, but, generally speaking, it is something to try.

Personally, I would fear less the possibility of a MitM that modifies the hash and the file on the fly, than the idea that that compiled binary may contain malware (how could you know if the source servers were not hacked into ?). SSL would protect only against alteration in transit. (This is a generic comment that I make about the dangers of downloading things; I do not want to make disparaging assertions about that specific piece of software or its authors.)

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • Thank you I think you make some very good points. I will probably accept your answer (and delete this unsubstantial comment). Perhaps I can still verify the authenticity using the public key I found. – Matheor Feb 26 '16 at 21:59
  • Well it seems I may have found the right kind of file, but the `codesign` utility on my mac tells me the code object is not signed at all. – Matheor Feb 26 '16 at 22:03
  • @Tom Leek “If you try to connect to the download page through HTTPS, it redirect you to the HTTP download page.” Yeah, nah, can’t agree with that. https://www.transmissionbt.com/download/ takes you to: https://download.transmissionbt.com/files/Transmission-2.92.dmg Are you sure or did I miss something in your analysis? –  Mar 07 '16 at 20:40
  • It was not possible at the time connect to the downloads page or the main page www.transmissionbt.com using https. Note that version 2.92 in your download link has not been out since after the exploit, which in turn happened after I asked this question. If you hover over the download button in this [web archive](http://web.archive.org/web/20160217103207/https://www.transmissionbt.com/) that at least points to an http address. – Matheor Mar 07 '16 at 21:09
  • My `transmission-2.84.dmg` file also has `http://www.transmissionbt.com/download/` in its "where from" field under information (same for the field `kMDItemWhereFroms ` that `mdls` displays). – Matheor Mar 07 '16 at 21:11