[schwanksta]

At first, that was what I thought the flaw would be -- providing a file that has a hash that collides with another file, gets you that file.

But it seems to me you would need to know the exact contents of the file in question to get that to happen, making the point moot. Perhaps I'm wrong on that.

[avdempsey]

Do they check filesize too? What are the odds of a hash collision + identical filesize? We might need Carl Sagan to answer that one.

[bdhe]

> What are the odds of a hash collision + identical filesize?

If implemented correctly, the additional constraint on filesize being the same is irrelevant. Given one particular hash value, the probability that a second file hashes to the same value is 1/(range of hash function) if the hash function is modeled as an ideal hash function.