Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Of course it does, otherwise a malicious mirror can (theoretically) work to find a collision between their malware and the legitimate file and serve you the former.

There's no good reason not to use a secure hash function.



If your threat model involves an attacker who is able to achieve a hash collision while still implanting a sophisticated malware, you should probably avoid downloading software from random websites...


It would be pretty impressive, as they'd need their malware to both do what they want and exactly match that hash. Not impossible, just clever.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: