No more MD5 checksum

samiux

Please be informed that it is suggested that we no longer trust the MD5 checksum anymore.  It is very easy to create two different binaries with the same MD5 checksum.

Samiux

cnewshk

We knew md5 or even sha1 are no longer trustable, but could you explain why you need to re-emphasise it today? Is there any new vulnerability was found recently?

samiux

We knew md5 or even sha1 are no longer trustable, but could you explain why you need to re-emphasise ...
cnewshk 發表於 2015-5-7 17:03

A researcher find a very easy way to make same MD5 checksum on two different binaries.  There are some download sites are still using MD5 checksum.  

I just to alert.

Samiux

rhino

Is there any alternative method to do intergity check of a file？

uganda_martyr

Please be informed that it is suggested that we no longer trust the MD5 checksum anymore.  It is ver ...
samiux 發表於 2015-5-7 16:45

So, what do you recommend?
Grateful for your advice.

samiux

@rhino and @uganda_martyr,

I may not be right but I suggest to use sha256sum for that purpose.

Samiux

lazyfai

In fact, checksum is important? Most important thing is NEVER download any software from untrusted source, eg. mainland forums pirate version, etc.

samiux

In fact, checksum is important? Most important thing is NEVER download any software from untrusted s ...
lazyfai 發表於 2015-5-7 21:47

May be you are right.  However, I am sorry to tell you that do not trust what you are downloaded even you do not download from untrust sources.

Samiux

lazyfai

Yes, you are right too.
In fact, if a hacker can replace a file on a download site with another file, he should be able to change the md5 or even sha256sum listed on the site as well.