On the issue of downloading files from untrusted sites #2

As I promised, I am going to describea couple of ideas I perceived while I was going through the vulnerability in VMWare products. Here is the first one. More than a year ago I wrote about the threats of downloading OS from p2p networks and one of my Russian readers told me that it is quite safe if you know the correct hash value for the ISO image. Unfortunately, my recent post about the vulnerability has just rendered such an opinion as not very correct. You see, when the file is downloaded from some p2p network, it is sometimes accompanied with some unnecessary files, so it is pretty easy to trigger such a trap. Therefore, there is no safe p2p downloads, actually.

P.S. BTW, hash code only does reasonably good protection – not a silver bullet. It is not necessary unique for every file of the same size.

2 thoughts on “On the issue of downloading files from untrusted sites #2

  1. Alexander Trofimov

    Well, usually we consider, that we trust a vendor’s site to some extent (though it is obviously should not be trusted by default). So if the hash of a downloaded file is the same as stated at the vendor’s site then we can think of file as of “geniune” one.
    Again, to the some extent only, because the site can be hacked, or malware can be already in “genuine” file by accident, or… You name it.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s