Hacker News new | ask | show | jobs
by JshWright 3463 days ago
Verifying a downloaded file doesn't require a cryptographically secure hash function...
2 comments
aianus 3463 days ago
Of course it does, otherwise a malicious mirror can (theoretically) work to find a collision between their malware and the legitimate file and serve you the former.

There's no good reason not to use a secure hash function.

link
JshWright 3462 days ago
If your threat model involves an attacker who is able to achieve a hash collision while still implanting a sophisticated malware, you should probably avoid downloading software from random websites...
link
verbify 3462 days ago
It would be pretty impressive, as they'd need their malware to both do what they want and exactly match that hash. Not impossible, just clever.
link
feld 3463 days ago
well it does require one that can't have collisions. otherwise what's the point in "verifying"?
link
mschulze 3463 days ago
There is no hash function that can't have collisions by definition.
link
feld 3462 days ago
*isn't known to have collisions, then
link