Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
In order to prevent malicious hackers compromising a huge mirror site (even main site itself), or whatnot, and tampering with rpms/binaries and altering the md5sums posted the site, I propose the following:
Individual contact with the creators to find out the correct md5sum, before public release.
Contact a series of host sites that are willing to host a text file of md5sums (and update it). Can be international, etc..
Then, a program that contacts all the host sites and cross-checks them with eachother, and lists non-matches, % correct matches, which ones are different, etc etc... You simply tell the program which rpm or binary you wish to check, and it goes out and cross-references them all.
This would make it very difficult for those wishing to alter the publically posted md5sums and binaries on a single host site.
It would be a fairly large list, even split up into different lists for faster access if it grows. It would contain all the most popular and important program binary md5sums..
Sites that are down, etc are ignored and left out... all the technical stuff is pretty simple.. I'm willing to program and maintain it if there's enough interest.
Sounds like a good idea. I don't think it would be realistic to contact everyone realising ISOs to get the correct values though - it would require a lot of maintenance and would probably break down fairly soon. I think you need some automated way to figure out if an md5 is likely to be wrong and flag up if there is concern.
What do you people think?
Maintaining it: Hell of a job.
How usefull?: vendors and 3rd party binaries wont be supported, own builds won't be supported.
Authentication?, how about fooling the process?
There's three apps I know of using it, "Knowngoods"' checker, Tiger and Rootkit Hunter. Knowngood shows the problem with maintenance, Tiger only supports Debian, and RKH shows what happen if your md5sums aren't listed (release not in db).
Other than that, if you think you've got this groundbreaking idea, and if you got an alpha out, post it here and I'll definately support it by testing it.