Re: Bittorrent secure?
You want true security, DONT USE IT! *hides behind the fridge* On Tue, 25 Jan 2005 16:58:06 -0500, Chuck Swiger [EMAIL PROTECTED] wrote: Hanspeter Roth wrote: On Jan 25 at 14:48, Chuck Swiger spoke: You need to have an external source of information which specifies a checksum or MD5 hash to confirm that the file has not been tampered with. That to say I should download CHECKSUM.MD5 from one of the public FTP-servers by hand and do the MD5 checks myself, right? Yes indeed, or use the files in a context like the ports tree, which does this sort of checking for you. If you trust the Torrent tracker file, then BitTorrent has this part built-in. Otherwise, you would use something like the distinfo files in /usr/ports to help confirm the validity of files. BitTorrent doesn't get some public checksums from some public servers transparently, does it? Each file distributed by BitTorrent has a tracker and a seed .torrent which describes the checksums of the file (and it's parts), and manages the list of hosts offering the file. On the other hand, Torrent doesn't do any worse than FTP or HTTP. The FTP-servers should be more or less official and should contain more or less uncompromised data. A lot of people thought that about ftp.gnu.org, or ftp.sendmail.org, or other well-known FTP sources which have been compromised. Hosts that offer BitTorrent probably are less official. True, but you are not relying on them to confirm the downloaded data is correct, you are relying on the seed host and it's .torrent file. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- gabriel, Member of: FreeBSD-Announce FreeBSD-Hardware FreeBSD-Multimedia FreeBSD-questions ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Bittorrent secure?
On Jan 25 at 16:58, Chuck Swiger spoke: Hanspeter Roth wrote: On Jan 25 at 14:48, Chuck Swiger spoke: You need to have an external source of information which specifies a checksum or MD5 hash to confirm that the file has not been tampered with. That to say I should download CHECKSUM.MD5 from one of the public FTP-servers by hand and do the MD5 checks myself, right? Yes indeed, or use the files in a context like the ports tree, which does this sort of checking for you. Ok, I forgot to mention that I thought of the ISO images of 4.11-RELEASE (or ISO images of future releases). This has probably noting to do with the ports tree. So the CHECKSUM.MD5 file from an FTP-server is still required. -Hanspeter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Bittorrent secure?
Hello, how secure is Bittorrent? How can one know how trustworthy the stuff downloaded from other Bittorrent fellows is? -Hanspeter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Bittorrent secure?
On Tue, Jan 25, 2005 at 08:22:53PM +0100, Hanspeter Roth wrote: Hello, how secure is Bittorrent? Do you mean the Bittorrent *protocol*, or a specific *implementation* thereof? And what do you mean with 'secure'? How can one know how trustworthy the stuff downloaded from other Bittorrent fellows is? From which torrent? :-) You get what you download. This is *normally* that, what the seeders offered. You may want to checksum (md5, sha1, ...) the files you get, comparing the digest strings with the signatures published on trustworthy sites (e.g. if you download an ISO image or so). All this is independent of the transport protocol that you used (ftp, bittorent, ...). The bittorrent protocol uses TCP to transmit the chunks, therefore ensuring that the chunks are not *intentionally* corrupted along the way. Moreover, bittorrent checksums the chunks internally, as an added measure of security. But you are still encouraged to checksum the complete file(s) anyway. -Hanspeter Cheers, -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Bittorrent secure?
On Tue, 25 Jan 2005 20:22:53 +0100 Hanspeter Roth [EMAIL PROTECTED] wrote: how secure is Bittorrent? How can one know how trustworthy the stuff downloaded from other Bittorrent fellows is? This a bit OT for a FreeBSD list, but I'll answer it anyway. A torrent file contains info about the tracker and hashes for each part of the file(s). So, quick answer, no, you cannot join a tracker and inject bogus data because the hash check will fail. If you can trust the person who created the torrent and initially seeds the file you're good to go. Cheers, -- Miguel Mendez [EMAIL PROTECTED] http://www.energyhq.es.eu.org PGP Key: 0xDC8514F1 pgpIj5aWt8N0j.pgp Description: PGP signature
Re: Bittorrent secure?
Hanspeter Roth wrote: how secure is Bittorrent? It's not secure. How can one know how trustworthy the stuff downloaded from other Bittorrent fellows is? You need to have an external source of information which specifies a checksum or MD5 hash to confirm that the file has not been tampered with. If you trust the Torrent tracker file, then BitTorrent has this part built-in. Otherwise, you would use something like the distinfo files in /usr/ports to help confirm the validity of files. On the other hand, Torrent doesn't do any worse than FTP or HTTP. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Bittorrent secure?
On Jan 25 at 14:48, Chuck Swiger spoke: Hanspeter Roth wrote: how secure is Bittorrent? It's not secure. How can one know how trustworthy the stuff downloaded from other Bittorrent fellows is? You need to have an external source of information which specifies a checksum or MD5 hash to confirm that the file has not been tampered with. That to say I should download CHECKSUM.MD5 from one of the public FTP-servers by hand and do the MD5 checks myself, right? If you trust the Torrent tracker file, then BitTorrent has this part built-in. Otherwise, you would use something like the distinfo files in /usr/ports to help confirm the validity of files. BitTorrent doesn't get some public checksums from some public servers transparently, does it? On the other hand, Torrent doesn't do any worse than FTP or HTTP. The FTP-servers should be more or less official and should contain more or less uncompromised data. Hosts that offer BitTorrent probably are less official. -Hanspeter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Bittorrent secure?
Hanspeter Roth wrote: On Jan 25 at 14:48, Chuck Swiger spoke: You need to have an external source of information which specifies a checksum or MD5 hash to confirm that the file has not been tampered with. That to say I should download CHECKSUM.MD5 from one of the public FTP-servers by hand and do the MD5 checks myself, right? Yes indeed, or use the files in a context like the ports tree, which does this sort of checking for you. If you trust the Torrent tracker file, then BitTorrent has this part built-in. Otherwise, you would use something like the distinfo files in /usr/ports to help confirm the validity of files. BitTorrent doesn't get some public checksums from some public servers transparently, does it? Each file distributed by BitTorrent has a tracker and a seed .torrent which describes the checksums of the file (and it's parts), and manages the list of hosts offering the file. On the other hand, Torrent doesn't do any worse than FTP or HTTP. The FTP-servers should be more or less official and should contain more or less uncompromised data. A lot of people thought that about ftp.gnu.org, or ftp.sendmail.org, or other well-known FTP sources which have been compromised. Hosts that offer BitTorrent probably are less official. True, but you are not relying on them to confirm the downloaded data is correct, you are relying on the seed host and it's .torrent file. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
