Page 1 of 1

Provide better checksum and GPG sigs

Posted: Mon Oct 02, 2017 5:36 pm
by inaboxwithsandornot
On your download site (https://www.sandboxie.com/AllVersions) only MD5 and SHA1 checksum are available.
Both are broken so please provide SHA2-512 and SHA3 instead of weak MD5 and SHA1.

And to verify the files are realy from you, provide GPG.asc signature for binarys with GPG ID & fingerprint so we can check that.
Sandboxie is a important security software so it need important secure ways to verify the integrity :!:

Re: Provide better checksum and GPG sigs

Posted: Tue Oct 03, 2017 9:48 am
by Barb@Invincea
Hello inaboxwithsandornot ,
On your download site (https://www.sandboxie.com/AllVersions) only MD5 and SHA1 checksum are available.
Both are broken so please provide SHA2-512 and SHA3 instead of weak MD5 and SHA1.
What is broken, exactly? Could you please provide more info so that I can take a look and make the necessary updates?

Regarding your second request, I am not sure we are going to change the SHA1/MD5 for the time being, however, I will reach out to the devs and see what they think about it.

Regards,
Barb.-

Re: Provide better checksum and GPG sigs

Posted: Tue Oct 03, 2017 1:19 pm
by inaboxwithsandornot
You found a lot of links with broken MD5 and SHA1.
The checksum can be spoofed, so its broken

Re: Provide better checksum and GPG sigs

Posted: Tue Oct 03, 2017 1:22 pm
by Barb@Invincea
inaboxwithsandornot wrote:
Tue Oct 03, 2017 1:19 pm
You found a lot of links with broken MD5 and SHA1.
The checksum can be spoofed, so its broken
Unless you can provide examples of what is broken on our end, I will not be able to review it.
The md5 and SHA1 posted for our Sandboxie download are not broken and they are correct at the moment.

Regards,
Barb.-

Re: Provide better checksum and GPG sigs

Posted: Sat Oct 07, 2017 1:01 pm
by inaboxwithsandornot
https://duckduckgo.com/?t=palemoon&q=md5+broken & https://duckduckgo.com/?q=sha1+broken&t=palemoon

The whole way to generate the MD5 & SHA1 checksum is broken and can be spoofed.
Thats why we need to use stronger ones, like SHA2 and SHA3

MERGED POST
SHA1: https://www.schneier.com/blog/archives/ ... roken.html, https://www.quora.com/In-cryptography-w ... ms?share=1 and a lot more.
Or as TL;DR: On February 23, 2017 CWI Amsterdam and Google announced they had performed a collision attack against SHA-1,[14][15] publishing two dissimilar PDF files which produce the same SHA-1 hash as proof of concept.

And MD5 is even worse:
The security of the MD5 has been severely compromised, with its weaknesses having been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".[4] Despite this known vulnerability, MD5 remains in use.
A 2013 attack by Xie Tao, Fanbao Liu, and Dengguo Feng breaks MD5 collision resistance in 218 time. This attack runs in less than a second on a regular computer.[2]
MD5 is prone to length extension attacks.

Is that enough? I dont understand why you dont know that nor just use stronger checksums

Re: Provide better checksum and GPG sigs

Posted: Mon Oct 09, 2017 1:30 pm
by Barb@Invincea
Hello inaboxwithsandornot ,

It looks like you are talking about a general issue with SHAs / MD5, but you are not reporting anything broken with the ones currently posted. I thought you had examples to provide about incorrect info provided on our end, sorry about any confusion.

I have already replied to the other portion on my first response.
I will update this thread if new information becomes available.

Regards,
Barb.-