Gregory's Server@briankrebs as a Young Man Who Doesn't Understand Cloud, I never understood the security model for these. It's likely that I downloaded the software and the hash from the same place (their website), how can that help me determine if the website is compromised ?
|
3 comments
@dragonsidedd @butorzigzag @briankrebs no it doesn’t, because a threat actor who compromises the author’s website can change both the executable and the published hash  @whereami @butorzigzag @briankrebs That's true, and if it's in your threat model, you'll want to wait for caches like internet archive or google/bing to check against |
@butorzigzag @briankrebs It ensures that the executable you run is the same as the one the author released -- not one that was subsequently subtly altered (eg via MITM or maybe a later malicious repo upload)