15

If you take the Ubuntu alternative download page for example, there, you have the possibility to download the OS also via torrent. Being a peer to peer where files are stored on anyone's machine got me wondering on just how safe would that be compared to downloading an OS image directly from the provider website? Be it for desktops or even for servers where the implications of a security breach in the OS would be huge.

I'm a bit surprised that there's no signature hash that you can use to verify your download...

BitTorrent

BitTorrent is a peer-to-peer download network that sometimes enables higher download speeds and more reliable downloads of large files. You will need to install a BitTorrent client on your computer in order to enable this download method.

fduff
  • 725
  • 1
  • 8
  • 17

1 Answers1

46
  1. file piece ("chunk") hashing is actually an essential, core feature of BitTorrent (the downloaded pieces are immediately and automatically verified), and a part of the BT protocol - the .torrent file contains the hashes needed for verification. So, unless the .torrent file is altered by an attacker (which is a very different issue), the integrity of the files is verified while they are downloaded, automatically (and invalid parts are silently discarded).

So: if you trust the source of your .torrent file (which is always questionable for a plain HTTP connection, plus see the Mint incident with hacked site), the subsequent download is indeed the same as the source claims.

Even so, if you want to verify the integrity later,

  1. the signature hash for an ISO is the same regardless of download method - see e.g. http://cdimage.ubuntu.com/releases/15.10/release/SHA256SUMS and http://cdimage.ubuntu.com/releases/15.10/release/SHA256SUMS.gpg for the 15.10 release hashes and signatures.

See also: Is Torrent safe for sharing legitimate files (file verification)? Does it use SHA1 or SHA256?

Community
  • 1
Piskvor left the building
  • 1,644
  • 15
  • 14