Why companies continue to use MD5. It so difficult use sha256
Why do people still use MD5?
Because you don't check the sums anyway
You'd better ask why developers don't add PGP signatures to distributed binaries.
found your problem
Because it works and you're stupid.
speed. if i want to just check that a file downloaded or transferred correctly and the site or it's just a disk to disk transfer and I know it's already good and i don't want to waste the additional 0.5s that better hashing algo's will take.
b-but the NSA is watching muh HTTP request to gayfaggot.com with billions of servers just waiting to collide the hash!!!
Yes, they really are fucking waiting to do that if you are a target of interest.
Don't be silly, that will only happen if you use (((https)))
Because companies host their stuff on their own website.
If the sha256 hash and the content associated come from the same source (same server), the hash is only good for error checking.
Do you think the NSA can really patch in a backdoor and add enough filler to dupe the MD5 code and keep the file size small enough so that you won't notice?
If it's something many people access and do so often, then yes. Like say for example, the linux kernel source code tarballs. Or certain gentoo or arch packages of importance. Use your imagination.
implying they do not already have all recent unique content seen on HTTP already cached and cracking
Well fucking duh. You're supposed to verify with other sources that the hash is correct.
If everyone else got the faked file, how do you ever know it is correct?
implying they don't already have all content, http or https, cached and being cracked
they don't, it is a crack on demand thing. Not needed for http obviously.
how do you ever know it is correct?
Because theoretically they'd find out at some point if the file is bad. If someone's reported hash from 6 months ago matches yours, you're probably fine.
why do companies still have XSS vulns?
why do companies still have SQLi?
why do companies still have RCE?
why do companies still use web?
why do companies be SJW?
why do companies recall 500 products a year?
why do companies run outdated software and software with bad reputations?
why do companies make IoT?
wait if you got a file from a site there's literally no point in it providing a hash unless you have some piece of shit HDD. it either uses HTTP, in which case MiTM can just replace the hash, or HTTPS, in which case the file integrity is already "assured" by HTTPS, and having the hash there provides no extra protection. you should be using something proper like OpenPGP anyway
You can use MD5 if it's PGP signed there's nothing to worry about.
but I do
this is a bit more work to check
they have sha256 sums for VirtualBox and Java, though
are you implying that (((https))) is less safe than (((http)))?
if the hash is served over https and the content over http, then it's more than regular error checking.
For a firmware updater I wrote, I get hashes over https then download the firmware unencrypted (it's fairly large, about 160MiB). GnuPG would be a bad idea as it's a lot of bloat to have to install on a system, there's a lot of additional complexity in handling all that and maintaining trust, it requires a different set of credentials than everything else, and it requires clock synchronization for proper trust which isn't practical as many networks block NTP (yes I know they shouldn't).
proper like OpenPGP anyway
... which is used to sign the checksums.
many networks block NTP
any proofs on that?
reeee don't use MD5 anymore
Triggered much? MD5 works fine for checking file integrity. No need to use SHA256 for that. You seem to have the newer == better mentality. You're not right friend.
what is blake2
I'll tell you what it is: superior to MD5 in literally every way
I am proofs. I've been building networking devices for two decades and I'm telling you what I run into.
Which ports are commonly open besides 443 and 80?
The issue isn't inbound blocking, it's outbound/session blocking. Even when traffic originates inside the network, the replies are thrown out. NTP is the first that caused me trouble as more retards started tinkering with firewalling, but now major websites are often blocking ICMP unreach replies /to their own traffic/. Zendesk does this, for example.
So in this case which ports are safer to use for traffic that must go in both directions and besides 443 and 80?
I really don't understand what you mean. Safer in what way? What is it that you're trying to do?
safer = less likely to be blocked in a random oppressive network.
and I'm trying to do somewhat censor proof tunnel, but it must not use 443 or 80 ports because (reasons)
For checking integrity against random bitrot, sure. For verifying whether the package has been tampered with in transit, not so much.
Oh, what you want is to have a rendezvous outside of the network. Like a STUN server or whatnot - you can reuse whatever anti-NAT tech you prefer. Then establish the connection out and listen on the remote for connections so you don't have to deal with firewalls/IDS blocking incoming.
The VPN service I built for my company uses EC2 boxes for this (I have them connect their branch offices via cellular which are a shitshow for incoming), but be aware that IPs on cloud services are heavily abused and you'll have to deal with being blocked by many websites.