On Thu, Apr 13, 2017 at 5:08 PM, William Roberts <[email protected]> wrote: > On Apr 13, 2017 14:05, "Paul Moore" <[email protected]> wrote: >> Unless Steve has exclusive administrative access to people.redhat.com >> (I think it is safe to say he does not, but correct me if I'm wrong >> Steve <b>) you can't trust an unsigned checksum regardless of how >> strong the https cert/crypto as the web admin could still tamper with >> the data. > > Sure possible, but not super plausible. You're putting some trust in the > administration of that website to begin with.
Come one man, you're smarter than this :) I only called out the malicious admin case, but there are other cases where someone with malicious intent could tamper with the checksum. Some quick examples: hacked webserver, MITM https proxy, etc. -- paul moore security @ redhat -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
