4
Some websites publish sha256 to check authenticity of downloaded file.
I suppose this is to protect against man-in-the-middle attack - that my file was not altered during download.
What prevents man-in-the-middle from altering web traffic and fix hash code that I see to match malicious downloaded file ?
Those sites often do not provide SSL, so capturing and fixing HTTP traffic is easy, all it takes is to work with my ISP or some backbone router.
There are even sites that allow to calculate sha256 by uploading file over unsafe HTTP with no SSL - ridiculous isn't it ?
Not only I have to trust that this website does not work for government, I also have to trust my ISP by connecting without SSL.
4This question appears to be off-topic because it is not about bitcoin or cryptocurrencies but about general security and verification. It would probably be more at home on another StackExchange sub-site. – dchapes – 2014-04-11T10:15:46.160
I somewhat agree, but I planned to ask it together with this question: http://bitcoin.stackexchange.com/questions/24489/using-blockchain-to-publish-downloadable-software-verification-codes and then decided to take them apart.
– CoinsKillTheFed – 2014-04-12T03:15:17.887Agree - though nice, this question pertains more to another S.E. site – Joe Pineda – 2014-04-12T03:41:23.763
Which site ? I don't know how or do not have permission to move it. I guess somebody with higher rating could move it for me. – CoinsKillTheFed – 2014-04-13T02:06:06.023