secmaster

application signing will be better than trusting the hash of the binaries

IanW

A researcher find a very easy way to make same MD5 checksum on two different binaries.  There are  ...
samiux 發表於 2015-5-7 17:44

If there is same recent finding, a link of such news is appreciated. Thx

samiux

Yes, you are right too.
In fact, if a hacker can replace a file on a download site with another file ...
lazyfai 發表於 2015-5-8 08:13

There is a method in the wild that the malicious code can be injected to the binaries while you are downloading.  Due to security purpose, I will not disclose the link here as it includes the exploit code.

Samiux

samiux

@IanW,

Sorry, due to security purpose, I will not disclose the link here as it includes the exploit code.

@secmaster,

Yes, but not all the downloadable binaries are signed.  Meanwhile, signing the binaries cannot prevent them from being injected malicious code.  I just to alert you all for the matter.

Samiux

Update reason : modified the reply to @secmaster

q_p

回覆 13# samiux
can you explain the concept of the exploit if sharing the code is not advisable?
did you mean the untrusted source can inject/add malicious code to binary while maintaining its original MD5?
and so we should stay alert for download from unencrypted/authenticated http?

ykmran

唔好懶神祕唔放link得唔得...
http://natmchugh.blogspot.co.uk/ ... -with-same-md5.html

上面條link r/netsec 第一版已經有...
http://www.reddit.com/r/netsec/

白戶則道

其實樓主都係想share下d料姐...唔洗咁串既....
人地只係講番自己個point of view姐，唔係唔放link....
其實看番樓主個blog就知....

cal22cal

md5 唔得, 好似好耐之前(幾年前, 5~6 ??),
己經提咗出嚟, if my memory still serve well,
好似係華人, 响啲唔記得嘅數學學術論壇, logically 即埸表演 break 佢

b2b 有啲可能仲係用緊 des, 全部都係數學問題