MD5 is not collision resistant, and as such it shouldn't be used for verifying file integrity against tampering. A tampered file might be computed in order to have the same MD5 checksum of the original with a relatively small effort. See for instance http://eprint.iacr.org/2013/170.pdf
Attacks are particularly effective against .tar.gz, as they allow for arbitrary binary content to be added. Use cryptographic signatures or, at the very least, a modern hash function like SHA-2/3. Paolo On 23 agosto 2014 08:33:56 GMT+09:00, Lee <ler...@gmail.com> wrote: >On 8/22/14, no.thing_to-h...@cryptopathie.eu ><no.thing_to-h...@cryptopathie.eu> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I just downloaded the old version 3.6.3, the download link on >> http://www.neowin.net/news/tor-browser-bundle-363 >> still works and leads to the file >> >https://www.torproject.org/dist/torbrowser/3.6.3/torbrowser-install-3.6.3_en-US.exe >> >> When I use jacksum on this file, the result is >> >> c8eb88324526d718b937b616c75d33a8 torbrowser-install-3.6.3_en-US.exe > >which does not match what I get > >> This is another MD5 checksum than from the mentioned installer >package >> >> 9529C5A633CF0CF6201662CA12630A04 > >which is what I get: >C:\temp\2do>md5 torbrowser-install-3.6.3_en-US.exe >9529C5A633CF0CF6201662CA12630A04 torbrowser-install-3.6.3_en-US.exe > >which matches what the OP got >>> The install package >>> torbrowser-install-3.6.3_en-US.exe has the MD5 signature: >>> 9529C5A633CF0CF6201662CA12630A04 > >> I was not able to download the PGP signature of the file to verify >its >> integrity. > >I did: >/cygdrive/c/temp/2do >$ gpg --verify torbrowser-install-3.6.3_en-US.exe.asc >gpg: WARNING: using insecure memory! >gpg: please see http://www.gnupg.org/documentation/faqs.html for more >information >gpg: Signature made Fri Jul 25 13:19:46 2014 EDT using RSA key ID >63FEE659 >gpg: Good signature from "Erinn Clark <er...@torproject.org>" >gpg: aka "Erinn Clark <er...@debian.org>" >gpg: aka "Erinn Clark <er...@double-helix.org>" >gpg: WARNING: This key is not certified with a trusted signature! >gpg: There is no indication that the signature belongs to the >owner. >Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE >E659 > > >> One of us downloaded a wrong Tor installer package ... > >Looks like it was you.. > >Regards, >Lee > >> >> Best regards >> >> Anton >> - -- >> no.thing_to-hide at cryptopathie dot eu >> 0x30C3CDF0, RSA 2048, 24 Mar 2014 >> 0FF8 A811 8857 1B7E 195B 649E CC26 E1A5 30C3 CDF0 >> Bitmessage (no metadata): BM-2cXixKZaqzJmTfz6ojiyLzmKg2JbzDnApC >> >> >> >> On 22/08/14 23:38, >bm-2cvvnfwsftfx8dv12l8z8pjejmtrjyj...@bitmessage.ch >> wrote: >>> Hi, >>> >>> I have TOR 3.6.3 installed in a Windows XP computer that is used >>> almost just for it with very few additional software installed. My >>> understanding is that a potential attacker will test his >>> exploit/approach against most of the security software available, >>> but possibly will not be able to test against ALL of them, so I >>> have a miscelaneous of popular and not popular security software >>> installed in the same computer; among them is a not so common anti >>> spyware called Zemana. >>> >>> I am using TOR browser and Zemana for years and I am familiar with >>> the behaviour of both. The TOR I am running has just the extensions >>> that comes with it; no additional extension was installed; no >>> plug-in is installed. >>> >>> I have proper licenses to run all the software, including Zemana, >>> so no crack or other suspicious tool was ever used. Zemana is a >>> quiet software and I can not remember about any single fake alert. >>> >>> >>> Few days ago, while browsing with TOR, I got a shocking alert from >>> Zemana: TOR TRIED TO TAKE A SNAPSHOT OF MY SCREEN. >>> >>> >>> As Zemana allow me, I did block such screen capture and TOR >>> crashed immediatly. By this crash I understand that TOR really >>> tried to capture my screen. >>> >>> I restarted TOR with a new identity, changed the identity many >>> times but TOR repeated the same behaviour a number of times with >>> the screen capture try-Zemana block-TOR crash. Change the identity >>> just does not works for such attacker. >>> >>> The script funcions were always blocked by NoScript 2.6.8.36. >>> >>> On the following days I used TOR again, without any change in my >>> system or software, accessing the same web sites but the attack no >>> longer took place. >>> >>> >>> I verified the MD5 signature for the TOR browser (firefox.exe) and >>> it is unchanged, i.e, it is as distributed by torproject.org >>> >>> The TOR 3.6.3 was downloaded from the TOR project web site, and not >>> from other servers. The install package >>> torbrowser-install-3.6.3_en-US.exe has the MD5 signature: >>> 9529C5A633CF0CF6201662CA12630A04 I have the installer in my files >>> for any forensic work. >>> >>> I am sending some screens with the Zemana log, where is possible to >>> see the TOR MD5 signature (firefox.exe; >>> FC19E4AFB0E68BD4D25745A57AE14047) and the logged behaviour >>> ("screenlogger"), the TOR version, TOR button and the Zemana >>> version screens, and the extensions and plug-ins existing in my >>> TOR install (just to confirm that nothing strange is there). They >>> are available to download here: >>> http://www.datafilehost.com/d/dfb201d8 or >>> https://www.sendspace.com/file/6ygdl3 >>> >>> >>> >>> Seems that TOR has hidden server capabilities, a back door that >>> allow a remote operator take snap shot of the screen and possible >>> perform other actions (record mic, turn on the webcam, ...). >>> >>> >>> I think TOR can protect the users from many enemies, but at the >>> same time it is a perfect tool to attract, identify and log very >>> specific (users) targets. This may explain also the, until now, >>> unclear role and objectives of the US goverment by funding the TOR >>> Project. >>> >>> Seems that hardly will be possible to identify suck attacker as it >>> probably comes from the TOR network itself, but I am considering a >>> trap/honney pot just in case this repeats. >>> >>> >>> I am an entusiast of privacy tools and TOR is not used for any kind >>> of unlawful purposes, is unlikely that I will attract attention >>> from public authorities and I am not worried with any data such >>> attacker eventually may have had access. >>> >>> >>> Hope this information may help to improve the TOR community >>> security and in some point in the future we will able to find a >>> solution for this back door. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.12 (GNU/Linux) >> Comment: Using GnuPG with Icedove - http://www.enigmail.net/ >> >> iQEcBAEBAgAGBQJT98FZAAoJEMwm4aUww83w+xUH/iUhYY2HTDWDmUEbK4H5T75G >> Zhb66G6i+fYslT1WxFT6nSi2Ks4j1uonpB6l0ZIa8kwBrNU7jT9OhyLqYgnRrMT3 >> jCld59B8VDJxrBNrjw8N9I/zQ7aHBYzla5v5daqa5d1gMBG0h7OBm/F4t46ZHtu/ >> NyssqaTh9p0SbbgunevjCNJUELUH9/i9Os4VsOlvoA4mKl6mNH4Conck7fFoCtKn >> dHW9hFSTM82lUXVo34IUqtMI4COiEosSBiyzErk0YWurQXIeF9IEQB1dGXWftY9/ >> 35ecqy8gxqt4Q/pQBFkKAb11fip5zqaWL82HaeEyeIFOP1rxzCjWvzN6Yyvf9VI= >> =mEfz >> -----END PGP SIGNATURE----- >> -- >> tor-talk mailing list - tor-talk@lists.torproject.org >> To unsubscribe or change other settings go to >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >> -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
