MD5 should not be used at all from a security point of view. However it is still possible to detect if the file got (accidentally) corrupted on the way to your machine. And I think that is exactly what the MD5 sum is for in this case. It's not there to prevent you from downloading a maliciously modified version of owncloud.
just my 2 cents On 07/04/2014 08:05 AM, Justin Vallon wrote: > I just noticed that the 6.0.4 MD5s are served via http. They should be > protected with HTTPS (or signed with a private key). Without any > authentication of the MD5s, verifying the signature is pointless, from a > security point of view. > > It looks like https://download.owncloud.org serves the same content as > http://download.owncloud.org (for the MD5 URL). It appears that all > that would need to be done is change the http links to https for the MD5s. > > [Page: https://owncloud.org/changelog/] > > > > _______________________________________________ > User mailing list > [email protected] > http://mailman.owncloud.org/mailman/listinfo/user > _______________________________________________ User mailing list [email protected] http://mailman.owncloud.org/mailman/listinfo/user
