verification of downloads

Discussion related to AES Crypt, the file encryption software for Windows, Linux, Mac, and Java.
Post Reply
philco
Posts: 6
Joined: Thu Nov 14, 2013 2:45 pm

verification of downloads

Post by philco »

Do you supply checksum info (MD5, SHA-1, SHA-256) or other means (gpg signature) to enable verification of download files ? I haven't been able to find them on your site.
User avatar
paulej
Posts: 595
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: verification of downloads

Post by paulej »

No, we don't. The reason is that's it's a false sense of security. If somebody is able to heck the server and change the download files, they can even more easily change any published hash values. We could publish those and sign them with an OpenPGP signature, but so few people use that, it's probably pointless.

If you're concerned about charges in flight, you can use https to download the files over a secure connection. Go to this URL: https://www.aescrypt.com/download/
User avatar
Crypto-256
Posts: 7
Joined: Sun Dec 16, 2012 2:56 pm

Re: verification of downloads

Post by Crypto-256 »

I just downloaded the Windows-GUI-version directly from the secure-site
https://www.aescrypt.com/download/

So, I got the file
AESCrypt_v309_win32.zip
Size: 950 KB (973.764 bytes)
MD5: cee02a797d00baec2b5f96f0e8b68616
SHA-1: 33503f689eeaa470f6ddfa6a85302c7973caa84c
SHA-256: cd97c7a379da2a531f1a9495bac92b34da0dff9966db12b2b955c3a569b77826

I also scanned that package for malware with anti-malware programs (Hitman-PRO, Commodo Internet-Security Premium and Malwarebytes, each of them is the latest version and updated with the latest malware-database).
Nothing found, the package is clean, as I expected ;-)
noxide
Posts: 1
Joined: Thu May 29, 2014 10:10 pm

Re: verification of downloads

Post by noxide »

paulej wrote:No, we don't. The reason is that's it's a false sense of security. If somebody is able to heck the server and change the download files, they can even more easily change any published hash values. We could publish those and sign them with an OpenPGP signature, but so few people use that, it's probably pointless.

If you're concerned about charges in flight, you can use https to download the files over a secure connection. Go to this URL: https://www.aescrypt.com/download/
I mean no offense but to be blunt, the "False sense of security" rationale is nothing other than a cop-out. MANY MANY people look to verify that installers are Digitally signed and I would really love it for AES Crypt to start signing their installers. I just learned about AES Crypt today in the wake of the TrueCrypt mystery that started yesterday and I refuse to install AES Crypt because the installers are not digitally signed.

The files' hash values should be published AND the installer files Digitally Signed, with both of these in place and with the key used to sign the installers appropriately handled and stored offline it would be VERY difficult to impossible for a hacker to compromise the web server hosting the AES Crypt installer files and both forge the hash AND sign the files with the trusted key.

Please, please start hashing and digitally signing your installer files, It would be GREATLY appreciated and very likely to gain AES Crypt even more users.

Respectfully,

-noxide
User avatar
paulej
Posts: 595
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: verification of downloads

Post by paulej »

I maintain hash values for all binary and source files published on aescrypt.com. What I have not done is publish the information. The reason is simply that is can lead to a false sense of security. However, since I maintain the hash values separately in a place that cannot be accessed via the Internet, a periodic audit would reveal unauthorized modifications.

You do put too much faith in code signing and hash values. One can argue that it's a better measure than nothing, but I still argue that it's bad practice to rely on them. If the site was compromised, a person could get a code signing certificate in very short order. A person could also modify any published hash information.

However, just so you do not think I am copping-out, you can grab a signed file with the hash information. This is signed with my GnuPG key. You can match your particular download against the listed filenames. You can use GnuGP to verify my signature and you can grab my public key from the MIT key server. The KeyID is 1672F2A5. At least this way, more effort will have to be expended in order to create a bogus file.

But seriously, don't trust certificate authorities so much. Major corporations like Microsoft have had fake certificates generated under their name. There are so darn many certificate authorities and some have sloppy procedures. Almost everything is automated.
Post Reply