ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button
  Avoiding Trojans and Rootkits
Subject:   MD5 vs. PGP
Date:   2003-03-07 03:41:20
From:   anonymous2
You use an example of an ftp site with some files on it, and a file containing checksums to verify the integrity of these files. Let's presume the site in question has been hacked, and the software trojaned - it wouldn't take much for the attacker to modify the file containing MD5 sums to reflect the checksums on his modified version of the tarballs, etc.

In this instance I believe verifying PGP signatures would be a lot more reliable. For example, ftp.kernel.org does this with its files. There is a helpful document on this here: http://www.kernel.org/signature.html

1 to 1 of 1
  1. MD5 vs. PGP
    2003-12-11 09:33:26  anonymous2 [View]

1 to 1 of 1