Re: SeaMonkey 2.13.1 Released

Wed, 24 Oct 2012 13:35:20 -0700 

David E. Ross wrote:

On 10/14/12 3:09 PM, Robert Kaiser wrote:

David E. Ross schrieb:

I go to the FTP server so that I can also download the related SHA1
checksum.


FYI, if you use the SeaMonkey-internal update mechanism, you get both
the advantages of using as-local-as-possible mirrors *and* verification
with a checksum that is not just SHA-1 but SHA-512 - and the checksum
and other info about the update is coming via an encrypted connection
(SSL) that is only allowed to be signed by certain CAs, so that the
delivery mechanism is *really* secure.

Robert Kaiser



Having to maintain two PCs, I prefer to download the update and then
install from my hard drive.  For incremental updates via .mar files, I
developed a .bat file script to do this.

What I really want is to download once and install twice.  The internal
update capability would download twice to install twice.

I recently obtained an application to compute and verify SHA512
checksums.  While Thunderbird updates on the FTP servers have SHA512
checksums as well as MD5 and SHA1, SeaMonkey updates on the FTP servers
have only MD5 and SHA1.


A short word about CRC methods: sources of error are transmission error and 
deliberate tampering. the reason people moved away from MD5 was that it is in 
some cases actually possible to modify a binary and fudge it to match an MD5sum. 
The sha1 is more resistant to deliberate tampering, but since you are getting 
the binary and CRC values from the same machine, if someone could hack the 
binary they could hack the CRC as well, giving no protection against tampering.



The sha512 is better than sha1 and sha256, but there is a paper out showing that 
sha224 is actually more resistant to tampering but less for random errors. I 
leave it to you to find and read that topic if you care, the short answer is 
that the MD5 is fine as a check for random damage in most cases, and getting the 
CRC (of any kind) from the same site as the binary is a risk. If you want 
secure, pull the sha512 via ftp from the master server, then download and check 
the actual binary from somewhere fast.


--
Bill Davidsen <david...@tmr.com>
  We are not out of the woods yet, but we know the direction and have
taken the first step. The steps are many, but finite in number, and if
we persevere we will reach our destination.  -me, 2010


_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey























					Reply via email to