0

Sometimes a website that has some binaries to download, also presents their hash keys, so that a user can verify the integrity of the binary. I suppose this is mainly for security reasons, not to check for corrupted data transfer.

However — if the binary has been compromised, isn't it reasonable to assume that the hash key provided by the web site has been also tempered with, to match the modified binary?

Why would we assume that provided hash keys are immune to hacking when we won't for binaries?

user209974
  • 101
  • If the downloaded file and the hash are from the same website, there is generally no security benefit; the usefulness comes when the downloaded file is externally hosted. – AndrolGenhald Sep 14 '18 at 20:16

1 Answers1

0

if a server has been compromise you should not download any content of it in general, keep in mind that the binary and the hashes (sha256, md5sum, blake2s or whatever) are potentially suspicious of been changed.

camp0
  • 2,172
  • 1
  • 10
  • 10
  • If the hash key matches the binary, how can I know the web site has been compromised? – user209974 Sep 14 '18 at 20:08
  • If you don't now if the server has been compromise, probably the best option is to download the binary and send to virustotal or any service that can analyze the binary. – camp0 Sep 14 '18 at 20:11
  • Sure. Then would you say hash keys are useless? – user209974 Sep 14 '18 at 20:13
  • Well if you download a binary from microsoft probably the level of security is higher if you download from an unknown server. Other option is to verify that binary from different sources (if exists) and check the hashes before you execute them, if you are really paranoid the best is to send the download binary to virustotal. In general I don't trust download any binary from any place, but this is a personal opinion that may vary with other users. – camp0 Sep 14 '18 at 20:24