Hacker News new | ask | show | jobs
by jloveless 3217 days ago
When you register a new asset, the Edgemesh backend downloads it from origin itself to validate the hash you've calculated. And on replication the destination recalculates it on the payload (to make sure the asset replicated correctly).
1 comments
theanomaly 3216 days ago
Right. So let's say we have file A, which is an innocuous image file, and file A', which is a malicious image file, where MD5(A) == MD5(A'). Based on the MD5 prefix collision attack, I should be able to construct two such files A and A'.

I get an edgemesh site to accept file A (perhaps the site allows me to upload a user avatar, upload an image on a forum, etc). I then behave as a node in the mesh, and receive file A. When I get a request to replicate file A to someone else, I send them file A', they check the MD5 hash, and the hash matches. Not seeing how that doesn't work?

It is admittedly a narrow attack, but I think it works.

link
gruez 3216 days ago
why not upload the malicious file directly?
link
theanomaly 3215 days ago
Because you could bypass filtering / approval mechanisms, or automatic image processing that could defang a malicious image.
link