On your download site (https://www.sandboxie.com/AllVersions) only MD5 and SHA1 checksum are available.
Both are broken so please provide SHA2-512 and SHA3 instead of weak MD5 and SHA1.
And to verify the files are realy from you, provide GPG.asc signature for binarys with GPG ID & fingerprint so we can check that.
Sandboxie is a important security software so it need important secure ways to verify the integrity
Provide better checksum and GPG sigs
-
- Sandboxie Support
- Posts: 2337
- Joined: Mon Nov 07, 2016 3:10 pm
Re: Provide better checksum and GPG sigs
Hello inaboxwithsandornot ,
Regarding your second request, I am not sure we are going to change the SHA1/MD5 for the time being, however, I will reach out to the devs and see what they think about it.
Regards,
Barb.-
What is broken, exactly? Could you please provide more info so that I can take a look and make the necessary updates?On your download site (https://www.sandboxie.com/AllVersions) only MD5 and SHA1 checksum are available.
Both are broken so please provide SHA2-512 and SHA3 instead of weak MD5 and SHA1.
Regarding your second request, I am not sure we are going to change the SHA1/MD5 for the time being, however, I will reach out to the devs and see what they think about it.
Regards,
Barb.-
Re: Provide better checksum and GPG sigs
You found a lot of links with broken MD5 and SHA1.
The checksum can be spoofed, so its broken
The checksum can be spoofed, so its broken
-
- Sandboxie Support
- Posts: 2337
- Joined: Mon Nov 07, 2016 3:10 pm
Re: Provide better checksum and GPG sigs
Unless you can provide examples of what is broken on our end, I will not be able to review it.inaboxwithsandornot wrote: ↑Tue Oct 03, 2017 1:19 pmYou found a lot of links with broken MD5 and SHA1.
The checksum can be spoofed, so its broken
The md5 and SHA1 posted for our Sandboxie download are not broken and they are correct at the moment.
Regards,
Barb.-
Re: Provide better checksum and GPG sigs
https://duckduckgo.com/?t=palemoon&q=md5+broken & https://duckduckgo.com/?q=sha1+broken&t=palemoon
The whole way to generate the MD5 & SHA1 checksum is broken and can be spoofed.
Thats why we need to use stronger ones, like SHA2 and SHA3
MERGED POST
SHA1: https://www.schneier.com/blog/archives/ ... roken.html, https://www.quora.com/In-cryptography-w ... ms?share=1 and a lot more.
Or as TL;DR: On February 23, 2017 CWI Amsterdam and Google announced they had performed a collision attack against SHA-1,[14][15] publishing two dissimilar PDF files which produce the same SHA-1 hash as proof of concept.
And MD5 is even worse:
The security of the MD5 has been severely compromised, with its weaknesses having been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".[4] Despite this known vulnerability, MD5 remains in use.
A 2013 attack by Xie Tao, Fanbao Liu, and Dengguo Feng breaks MD5 collision resistance in 218 time. This attack runs in less than a second on a regular computer.[2]
MD5 is prone to length extension attacks.
Is that enough? I dont understand why you dont know that nor just use stronger checksums
The whole way to generate the MD5 & SHA1 checksum is broken and can be spoofed.
Thats why we need to use stronger ones, like SHA2 and SHA3
MERGED POST
SHA1: https://www.schneier.com/blog/archives/ ... roken.html, https://www.quora.com/In-cryptography-w ... ms?share=1 and a lot more.
Or as TL;DR: On February 23, 2017 CWI Amsterdam and Google announced they had performed a collision attack against SHA-1,[14][15] publishing two dissimilar PDF files which produce the same SHA-1 hash as proof of concept.
And MD5 is even worse:
The security of the MD5 has been severely compromised, with its weaknesses having been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".[4] Despite this known vulnerability, MD5 remains in use.
A 2013 attack by Xie Tao, Fanbao Liu, and Dengguo Feng breaks MD5 collision resistance in 218 time. This attack runs in less than a second on a regular computer.[2]
MD5 is prone to length extension attacks.
Is that enough? I dont understand why you dont know that nor just use stronger checksums
-
- Sandboxie Support
- Posts: 2337
- Joined: Mon Nov 07, 2016 3:10 pm
Re: Provide better checksum and GPG sigs
Hello inaboxwithsandornot ,
It looks like you are talking about a general issue with SHAs / MD5, but you are not reporting anything broken with the ones currently posted. I thought you had examples to provide about incorrect info provided on our end, sorry about any confusion.
I have already replied to the other portion on my first response.
I will update this thread if new information becomes available.
Regards,
Barb.-
It looks like you are talking about a general issue with SHAs / MD5, but you are not reporting anything broken with the ones currently posted. I thought you had examples to provide about incorrect info provided on our end, sorry about any confusion.
I have already replied to the other portion on my first response.
I will update this thread if new information becomes available.
Regards,
Barb.-
Who is online
Users browsing this forum: No registered users and 1 guest