On 03/08/2008 00:42, Twayne wrote:
Do checksums do the same thing as digital signatures?
No, they are not the same thing in any way. Apples and oranges; they do
not do the same thing. Using one does not negate using the other. One
being OK has nothing to do with whether the other will get the same
result.
A signature is nothing more than having some company vouch for you in
verifiable ways, that you are who you say you are. A checksum is simply
a calculated number for code which can be checked after transport to see
if the sum has remained identical to what was used as a source. They
ARE the same in that, if you allow automagical operation, they can
easily be forged to be what you want/expect to see.
This is a half truth. A digital signature is no more and no less than an
encrypted hash. Several digital signature systems use MD5 as the hash.
The difference is the [imputed] trustworthiness of the result. A
published hash is easier to fake than is the digital certificate on
which the digital signature is based. That's because the certificate
used to check the signature is *usually* taken from an extremely
trustworthy and unhackable place whereas a straight hash is *normally*
taken from the same (relatively easy to hack) place as the file was
taken from. This in turn means that the signature is *much* more likely
to belong to the putative author of the file and this means that if the
signature checks out then the file is much more likely to be genuine.
However, as long as you get the checksum (hash) from OO.o, and you use a
legitimate hasher, there is a good chance you will discover anything
untoward.
In addition to that, I always check the MD5 or whatever is offered,
simply to assure myself that I did not get a "broken"download where a
bit or two slipped out into the ether. Whenever the sums are offered
IMO, it makes sense to use them.
Trusting the MD5 is only a good idea if you are certain you got the file
and the MD5 from the right place. If the attacker can lure you to his
web site and you download his file and check his hash then he's won. As
I said, the advantage of using a signature is that the chances are that
even if you download the file from the wrong place, the certificate you
use to check the signature will be genuine and thus the attacker's file
will fail the signature test.
Finally, I'm not aware that there is an auto-update mechanism in OO.o.
Sorry but the fact that you are not aware of it doesn't mean it doesn't
exist. In fact it does. Modern versions of OOo on Windows offer
automatic update. I can't comment on Linux or Mac but I doubt they are
different. I quote from the Help:
==== begin quote ===
Online Update
Specifies some options for the automatic notification and downloading of
online updates to OpenOffice.org.
To access this command...
Choose Tools - Options - OpenOffice.org - Online Update
Check for updates automatically
Mark to check for online updates periodically, then select the time
interval how often OpenOffice.org will check for online updates.
OpenOffice.org will check once a day, week, or month, as soon as a
working Internet connection is detected. If you connect to the Internet
by a proxy server, set the proxy on Tools - Options - Internet - Proxy.
When an update is available, an icon in the menu bar displays some
explaining text. Click the icon to proceed.
If you disable the check, the icon is removed from the menu bar.
Online Update is a module that can be selected or deselected to be
installed. Choose the customized installation in the Setup of
OpenOffice.org.
Every Day
A check will be performed once a day.
Every Week
A check will be performed once a week. This is the default setting.
Every Month
A check will be performed once a month.
==== end quote ===
If I remember correctly this is the default setting. I can easily
imagine that most users, although not necessarily most users subscribed
to this list (who are clearly more sophisticated ;-) ), will allow
automatic updates in the same way they do for Windows, for Adobe PDF
Reader, for iTunes and so on and so forth.
--
Harold Fuchs
London, England
Please reply *only* to [email protected]
