Download Checksums (MD5 / SHA1)

General discussions about Little Snitch
MrElvey
Posts: 16
Joined: Tue Jan 27, 2009 3:42 am
Contact:

Download Checksums (MD5 / SHA1)

Postby MrElvey » Tue Jan 27, 2009 3:50 am

Objective Development:

For the paranoid, please serve the .dmg over HTTPS, or provide Checksums (MD5 and/or SHA1) on a secure web page. :shock:

Given LS is for the paranoid, I'm surprised I can't find these already. I googled for them and got no results. Nothing at http://www.obdev.at/products/littlesnitch/download.html either.

Example:

Code: Select all

 /usr/bin/openssl sha1 LittleSnitch_2_0_5.dmg =>
SHA1(LittleSnitch_2_0_5.dmg)= e81f3117f9c9a561d34ee0c5fd6e557d6caf855.
 md5 LittleSnitch_2_0_5.dmg =>
MD5 (LittleSnitch_2_0_5.dmg) = d5b6ec4bd39a4f8426efb58bc1ed184.


Yes, I've submitted this to support, since it's something only the company can do.
:arrow: :arrow: :arrow:
A pleasing response (edited for clarity):
Thanks for the suggestion! I have forwarded it to our webmaster.

BTW: Although Little Snitch is for the paranoid, this is the first
request of this type we have received...

Regards, Christian.


There's a very good paper on the topic:
Insecurities within automatic update systems
by ing. P. Ruissen
ing. R. Vloothuis
Research project 2
MSc in System and Network Engineering
University of Amsterdam
Class of 2006-2007



I wonder what they're up to now... :arrow:

No word yet. (10Feb2009) :arrow:
Last edited by MrElvey on Mon Feb 02, 2009 5:12 pm, edited 1 time in total.

MrElvey
Posts: 16
Joined: Tue Jan 27, 2009 3:42 am
Contact:

Re: Download Checksums (MD5 / SHA1)

Postby MrElvey » Sun Aug 23, 2009 5:12 pm

Still no reply on this. :( :evil: :evil: :evil: :( MITM attacks are trivial given known DNS flaws, until this is addressed. HELLO?

cousinisaac
Posts: 3
Joined: Fri Aug 28, 2009 6:39 am

Re: Download Checksums (MD5 / SHA1)

Postby cousinisaac » Fri Aug 28, 2009 9:06 am

Agreed. Bump.

MrElvey
Posts: 16
Joined: Tue Jan 27, 2009 3:42 am
Contact:

Re: Download Checksums (MD5 / SHA1)

Postby MrElvey » Tue Sep 29, 2009 2:50 am

cousinisaac wrote:Agreed. Bump.


[OT] I think I know you! I met you years ago; mainly remember that that I digged your album at the time's CCCP shtick and music.

Perhaps a working strategy would be to buy it and then contact technical support.

I sent the following reply after I asked for an update and heard back:

>
>
> Hello Matthew,
>
> Thanks again for your feedback!
>
> We've planned to address this issue by utilizing the code signing
> capabilities of Mac OS X, which will ensure the origin and integrity of
> the downloaded code. This has the advantage, that all users, even those
> without any command line skills, will get the origin and integrity of the
> download checked automatically.
>
>
> Best Regards,
>
> Objective Development
> http://www.obdev.at/
>
Sounds like a plan. Has this been done? If not, if I buy it, and email you again, will you provide the appropriate checksums promptly and in a secure manner?

MrElvey
Posts: 16
Joined: Tue Jan 27, 2009 3:42 am
Contact:

Re: Download Checksums (MD5 / SHA1)

Postby MrElvey » Sun Oct 03, 2010 1:10 am

HELLO?!!!?

MrElvey
Posts: 16
Joined: Tue Jan 27, 2009 3:42 am
Contact:

Re: Download Checksums (MD5 / SHA1)

Postby MrElvey » Sun Oct 03, 2010 1:10 am

:evil: :evil: :evil: :evil: :evil: :evil: :evil: :evil: :evil: :evil: :evil: :evil:
YOU'D THINK A COMPANY WHO PUTS OUT A SECURITY PRODUCT WOULD CARE ABOUT THE SECURITY OF THEIR PRODUCT.

paranoia
Posts: 3
Joined: Fri Oct 29, 2010 9:31 pm

Re: Download Checksums (MD5 / SHA1)

Postby paranoia » Fri Oct 29, 2010 9:36 pm

Want to buy this product.

Really want to buy this product.

Can't verify the download in any way.

My system has been hacked before...can't trust this download.

I won't buy it until checksums are posted.

I'm sure many others agree, and will refuse to go through the trouble of posting here on the forum asking for the checksum.

But I really, really want to buy this product.

I can't.

Not until I can verify the checksum.

MrElvey
Posts: 16
Joined: Tue Jan 27, 2009 3:42 am
Contact:

Re: Download Checksums (MD5 / SHA1)

Postby MrElvey » Sun Oct 31, 2010 5:39 am

paranoia wrote:Want to buy this product.

Really want to buy this product.

Can't verify the download in any way.

My system has been hacked before...can't trust this download.

I won't buy it until checksums are posted.

I'm sure many others agree, and will refuse to go through the trouble of posting here on the forum asking for the checksum.

But I really, really want to buy this product.

I can't.

Not until I can verify the checksum.

OMFG! (Checksums posted here (MD5 (LittleSnitch-2.3.1.dmg) = 68b5a356922be8ce08f29fe2e849126e) wouldn't help. https://secure.obdev.at/viewtopic.php?f ... 471#p16471 doesn't come up.)

MrElvey
Posts: 16
Joined: Tue Jan 27, 2009 3:42 am
Contact:

RESOLVED.

Postby MrElvey » Sun Oct 31, 2010 5:43 am

IT'S FINALLY POSSIBLE TO DOWNLOAD THE INSTALLER SECURELY!

THIS URL WORKS: https://secure.obdev.at/downloads/Littl ... -2.3.2.dmg

Trust that. It is IMPOSSIBLE to SECURELY verify an untrusted download by relying on checksum hashes I or anyone else, including staff, post here.

(e.g.
MD5 (LittleSnitch-2.3.2.dmg) = 5a6aceb8cfa0e46d0e845820b68d5fcc
SHA1(LittleSnitch-2.3.2.dmg)= 3feced4d2943273005c0cee0eb34c64e16a798de
)

They're not reliable because they're vulnerable to MITM attack.
Last edited by MrElvey on Mon Nov 01, 2010 7:46 pm, edited 1 time in total.

paranoia
Posts: 3
Joined: Fri Oct 29, 2010 9:31 pm

Re: Download Checksums (MD5 / SHA1)

Postby paranoia » Sun Oct 31, 2010 7:23 am

OMFG! (Checksums posted here (MD5 (LittleSnitch-2.3.1.dmg) = 68b5a356922be8ce08f29fe2e849126e) wouldn't help


Where did you find the checksum (68b5a356922be8ce08f29fe2e849126e)? I can't find any checksum posted on their website or forums.

MrElvey
Posts: 16
Joined: Tue Jan 27, 2009 3:42 am
Contact:

Re: Download Checksums (MD5 / SHA1)

Postby MrElvey » Mon Nov 01, 2010 7:39 pm

paranoia wrote:
OMFG! (Checksums posted here (MD5 (LittleSnitch-2.3.1.dmg) = 68b5a356922be8ce08f29fe2e849126e) wouldn't help


Where did you find the checksum (68b5a356922be8ce08f29fe2e849126e)? I can't find any checksum posted on their website or forums.


Forget the checksums. Just use the secure download URL.

As I said: Checksums posted here wouldn't help.

Secure (HTTPS) downloads weren't available until recently.


Return to “Little Snitch General”

Who is online

Users browsing this forum: No registered users and 4 guests