Is md5 checksum that reliable ?

[Pats]

Lalely I read somewhere about preimage and collision attacks and reliability of md5 checksum . Would appriciate different opinions  . I had reffered the following link :
 ... https://security.stackexchange.com/questions/186657/is-it-secure-to-use-md5-to-verify-the-integrity-of-small-files-less-than-15kb

[Rich]

Hi Pats
Since this thread is the result of a checksum mis-match while downloading an extension I will address that aspect of it. From the
thread where the checksum mis-match was brought up I stated:

Hi Pats

... do you think that md5 mis-match may be real culprit in the OPs problem ? .... Just curious , if md5 checksum is that reliable . ...

Well yes, the mis-match is the source original problem. I feel for confirming that extensions are downloaded correctly it
is reliable enough. If the downloaded extension gets corrupted, it will get flagged. if the downloaded  md5  file gets
corrupted, it will get flagged. If only one of the two files gets updated in the repo, as was the case here, it will get flagged.

From a security point of view, if you are downloading  FILE  and  FILE.md5.txt  from the same source, choice of checksum
algorithm is irrelevant. If someone can replace  FILE  with a malicious version they can replace the checksum file too.

[Pats]

Hi Rich , thanks for explanation !
Brought the discusion point here from ...*Re: md5sum: WARNING: 1 of 1 computed checksums did NOT match* thread ... : ...

Last post by <b>Rich </b>on <b>Today</b> at 10:25:29 PM »Hi Pats<br>The  md5  file is not required for the extension to run. The  md5  file is however also used to check whether an extension<br>in the repo has been updated.

..Correct ! Except for Kernel compiling / Update and security related downloads like iptables etc , I myself very rarely use md5 checks .

Last post by <b>Rich</b></b> : ... If someone can replace  FILE  with a malicious version they can replace the checksum file too.

Though posible , but such replacements are not of any worth to the imposter ! So not practical , I guess .
 That means , if someone want to be damn sure about a downloaded file integrity , better options may be SHA-1 and above versions of  (Digest::SHA1) or some utility like HashCheck.

 By the way , I found following articles interesting :
1)  http://raymond.cc/blog/ask-raymond-how-to-decrypt-md5-hashed-strings/
 2) https://www.perlmonks.org/?node_id=386246

[bmarkus]

md5 with the tcz extensions has nothing to do with security which is a complex issue. It is to check integrity and detect file corruption.  Considering networking protocols, reliability of storage systems probability of file corruption is extremely low. File corruption in TC environment in most cases caused by interrupted transfer e.g. due to lack of free storage or networking issue. In such case md5 is perfect, sha1 wouldn't bring any benefit.

[vinceASPECT]

Hello.

Uh the md5 cs is referring to a files integrity against an identical file of integrity. With that in mind, when dealing with transmissions
and so forth and protocols those a bit/ per bit streams and collision's will be in that domain. Collisions would'nt implicitly refer to
the integrity a bit stream (as a packet of a file header)
That sort of networking issue concerns hardware parity.

Thx

V

[Pats]

Last post by bmarkus on Today at 05:50:08 AM »
md5 with the tcz extensions has nothing to do with security which is a complex issue. It is to check integrity and detect file corruption.

..

Last post by vinceASPECT on Today at 07:18:04 AM » would'nt implicitly refer tothe integrity a bit stream (as a packet of a file header)That sort of networking issue concerns hardware parity.

..Exactly ! That is what  I want  to convey . Unless and until , there is an installation problem ,  is there  any need to use md5 or sha1 ?  And how many actually use it , anyways ! ... And as explained by , Rich , if someone can replace the file , he can replace the corresponding  .md5 file as well !

[Rich]

Hi Pats

... Unless and until , there is an installation problem ,  is there  any need to use md5 or sha1 ?  And how many actually use it , anyways ! ...

It is used by the  Apps  utility as well as the commandline utilities for extension loading/maintenance. So anyone using the supplied
tools for handling extensions uses it. If a download gets corrupted by a bit error you want to know it right then and there so you
can address the issue and resolve it. The purpose is to detect unintentional discrepancies, not thwart malicious troublemakers.

[Pats]

  Last post by Rich on Today at 05:01:43 PM » The purpose is to detect unintentional discrepancies, not thwart malicious troublemakers.

 I mostly use wget . AppBrowser is a nice tool ! I was not  knowing   that command-line tool  automatically check md5 cs after downloading .
Since most of my apps-groups like Opera , Java , mySQL , compiletc etc are stable , working without glitches and I am not a frequent-flyer to try every new app and new version of TC on the repo ,  ... may be I am lucky not to face so many problems about installations  after gaining decent knowledge here with TC Team !
But daily I get chance to refresh my linux know-how from many new members problems ... and  think there is much more to learn  from this new generation !
 Thanks !

[Pats]

Collisions would'nt implicitly refer to
the integrity a bit stream (as a packet of a file header)
That sort of networking issue concerns hardware parity.

.. And what does that exactly mean - in simple language ?

[Pats]

Just out-of-curiousity asking , though chances are negligible but  has Team TCL ever faced a Zero-day vulnarability  problem during alpha , beta or after final release?

For those who dont know :

A Zero-day or 0-day  vulnarability  is a computer-software vulnerability that is unknown to the developer  and hckers can exploit it to adversely affect computer programs, data,  or a network , until the developer come to know about it . And  Day-Zero  is the day on which the developer come to know about the vulnerability.

[Pats]

I cancell and take back my question about Zero-day vulnarability , because I think that may be an intrusion to privacy and actual working procedure of TCL.
 ( I was just interested for an article on the subject. )