Do we really need to check the integrity of downloaded files? [duplicate]
I downloaded a huge amount of files, but discovered the use of md5 and sha as integrity checkers quite recently. From then I always prefer to check it for big downloaded files, even if I never found them to be corrupted.
Do we really need to check the integrity of downloaded files?
Pick as example a Linux distribution that I have just downloaded, which is 1GB, if you want.
Thank you
It depends on a few factors.
Do you have a stable internet connection?
If you have a stable internet connection, you do not need to check the integrety of the file as it will most likely be correct. I never check the hash and I also never have had corrupt files. Or maybe one time when the remote server disconnected.Do you want to verify the file based on security reasons?
If you are concerned about the safety of the file you're downloading, you can use the MD5 hash to verify that the file was not somehow altered. You download a file and if the MD5 hash doesn't match, it means the file on the server is different than the MD5 hash, and somehow something is wrong. This would only be valid if you don't trust the server you're downloading from, but usually if someone provides a hash, they usually also try their best to keep things updated. But if their site got hacked, and you did check the MD5 hash, then you got the little bonus.
Overall, these 2 will give a no to most people. If its a no to you, thats entirely up to you of course.
The answer and choice one makes is going to be based on his/her risk tolerance and considerations of time and effort in verification.
Checking MD5/SHA1 hashes is a good first step and you should do it when you have time. However, you must consider your ability to trust the hash provided. For example, if the the author's website with the hash is hacked, then the attacker can change the hash, so you would not know. If the hash you calculate is not the same as the hash provided, you know something is up. However, just because the hashes match does not guarantee the file is good.
A better alternative for a software author to provide integrity and authenticity is through digitally signing the files being distributed. This attaches the authenticity information to the file and does not rely on trusting some website. If an author digitally signs the file, the only way for this to be faked is a compromised certificate authority or if the developer's signing key was stolen. Both of these cases are far less likely than a website on the Internet being hacked.
Ultimately, you must do your own due diligence to determine if you want to trust something and then take countermeasures (run in a sandbox, a virtual machine, etc.) to mitigate any unknown factors or miscalculations you made when deciding whether or not to trust.
For security reasons, YES. Consider that a Tor exit node was found to be patching binaries during download, then remember that your ISP may or may not have the slightest morals, and that they are in complete control of your internet connection.