Author Topic: Checksums for Multicommander installer package downloads?  (Read 14702 times)

koemyndo

  • Junior Member
  • **
  • Posts: 21
    • View Profile
Checksums for Multicommander installer package downloads?
« on: February 09, 2015, 19:55:15 »
Hi,
Searched these forums - can't find any mention of checksums for the Multicommander installer - OR portable - packages (from http://www.multicommander.com/downloads).

I see the note on D/L page,
Quote
Only download the portable version from this site.
 Because the portable version is a normal zip archive, you cannot know if anyone else has changed and modified the files inside.
Which is understandable, but are there no checksums?

No - checksums don't guarantee safety, but are at least useful to make sure the download is accurate.
Or, (possibly ?) if MITM hackers /adversaries editing the original installer / portable packages weren't very clever.  Probably a very low chance of that, but...

Just an observation:  d/l page mentions only getting the portable vers. from this site, but d/l page uses http - not https.
Thanks.


Mathias (Author)

  • Administrator
  • VIP Member
  • *****
  • Posts: 4489
    • View Profile
    • Multi Commander
Re: Checksums for Multicommander installer package downloads?
« Reply #1 on: February 10, 2015, 09:08:40 »
Hi,
Searched these forums - can't find any mention of checksums for the Multicommander installer - OR portable - packages (from http://www.multicommander.com/downloads).

I see the note on D/L page,
Quote
Only download the portable version from this site.
 Because the portable version is a normal zip archive, you cannot know if anyone else has changed and modified the files inside.
Which is understandable, but are there no checksums?
Checksum are planned but my system does not allow for that to be auto generated at the moment.
And doing it manually is to much work. (since almost nobody really cares to check it anyway)

No - checksums don't guarantee safety, but are at least useful to make sure the download is accurate.
Or, (possibly ?) if MITM hackers /adversaries editing the original installer / portable packages weren't very clever.  Probably a very low chance of that, but...
Well that why you should always download it from my site and not some of the download site or torrent or other place.
But yes  MITM attack can replace the downloaded file. But since almost nobody will check the checksum anyway it will not help them. And in a MITM attack they can also change what the displayed checksum is on the page..

Just an observation:  d/l page mentions only getting the portable vers. from this site, but d/l page uses http - not https.
HTTPS alone does not give you any protection. You also need certificates. and they are expensive.. and MCs budget is 0...