LinuxQuestions.org - Proposed Cross-Reference Md5sum Project

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Proposed Cross-Reference Md5sum Project (https://www.linuxquestions.org/questions/linux-security-4/proposed-cross-reference-md5sum-project-179261/)

Proposed Cross-Reference Md5sum Project

Hello there!

In order to prevent malicious hackers compromising a huge mirror site (even main site itself), or whatnot, and tampering with rpms/binaries and altering the md5sums posted the site, I propose the following:

Individual contact with the creators to find out the correct md5sum, before public release.

Contact a series of host sites that are willing to host a text file of md5sums (and update it). Can be international, etc..

Then, a program that contacts all the host sites and cross-checks them with eachother, and lists non-matches, % correct matches, which ones are different, etc etc... You simply tell the program which rpm or binary you wish to check, and it goes out and cross-references them all.

This would make it very difficult for those wishing to alter the publically posted md5sums and binaries on a single host site.

It would be a fairly large list, even split up into different lists for faster access if it grows. It would contain all the most popular and important program binary md5sums..

Sites that are down, etc are ignored and left out... all the technical stuff is pretty simple.. I'm willing to program and maintain it if there's enough interest.

What do you people think?

Sounds like a good idea. I don't think it would be realistic to contact everyone realising ISOs to get the correct values though - it would require a lot of maintenance and would probably break down fairly soon. I think you need some automated way to figure out if an md5 is likely to be wrong and flag up if there is concern.

What do you people think?
Maintaining it: Hell of a job.
How usefull?: vendors and 3rd party binaries wont be supported, own builds won't be supported.
Authentication?, how about fooling the process?

There's three apps I know of using it, "Knowngoods"' checker, Tiger and Rootkit Hunter. Knowngood shows the problem with maintenance, Tiger only supports Debian, and RKH shows what happen if your md5sums aren't listed (release not in db).

Other than that, if you think you've got this groundbreaking idea, and if you got an alpha out, post it here and I'll definately support it by testing it.

Thanks for the feedback guys..

I will let you know if I get something started.. I just got to do some thinking... efficiency and automation are on my mind.. and security of course :)