Nov 12, 2015 at 3:06 PM
Edited Nov 12, 2015 at 3:07 PM
I would like to suggest that md5 and sha256 cryptographic hashes be included in the text of the download pages.
OpenPGP signatures may be more secure than hashes published on a web page. However, they require certain level of understanding and presence of another, rather complex software application (PGP/GPG) on user's computer and the ability to use it, and is not normally
done by end users, especially not on Windows systems. In contrast, checking the hashes after the download is completed is a trivial process. For an attacker, the work involved in forging hashes on the fly is quite demanding and easily detected with minimal
effort by software publisher.
When the hashes are not published, I habitually post them on the application forum, as follows:
543767792f640f1e1cfa863fec302056 VeraCrypt Setup 1.16.exe
8a67364348c652dbb623e47d4c9bce85 VeraCrypt User Guide0.pdf
8a67364348c652dbb623e47d4c9bce85 VeraCrypt User Guide.pdf
aafacca9a600af5b8d66387718c984b8655905f72370bbd772baf90e57e85b7e VeraCrypt Setup 1.16.exe
f5c70ad7ea8dd660f62b9162f745728ccfad1d00e74b3a4eedccf6c3d92eb43f VeraCrypt User Guide0.pdf
f5c70ad7ea8dd660f62b9162f745728ccfad1d00e74b3a4eedccf6c3d92eb43f VeraCrypt User Guide.pdf
I assume someone reading this and checking hashes of his downloads would, for mutual benefit, promptly sound an alarm in case of any mismatch.
Nov 12, 2015 at 3:20 PM
Thanks for the prompt reply. Indeed I missed them. I apologise.
For what's it's worth, for the stuff I publish, hashes are given not as a file to be downloaded, but in the download page html text, together with a gentle nudge to the downloaders to check them. (My comment on the likelihood of MS Windows users checking PGP
signatures stands). I am in habit of visiting the page and glancing at the hashes often, as I pass by some Internet connected computer completely unrelated to me. I do that both as a user and as a publisher. An attacker would have to be very, very capable
to know when to forge them and when not to.
Anyway, thank you for the commendable effort on this project!