Why companies continue to use MD5. It so difficult use sha256
Why do people still use MD5?
Jace Cruz
Jonathan Sullivan
Because you don't check the sums anyway
Benjamin Nguyen
You'd better ask why developers don't add PGP signatures to distributed binaries.
Julian James
(((Oracle)))
found your problem
Hudson Allen
Because it works and you're stupid.
Jeremiah Adams
speed. if i want to just check that a file downloaded or transferred correctly and the site or it's just a disk to disk transfer and I know it's already good and i don't want to waste the additional 0.5s that better hashing algo's will take.
William Peterson
b-but the NSA is watching muh HTTP request to gayfaggot.com with billions of servers just waiting to collide the hash!!!
Leo Perry
Yes, they really are fucking waiting to do that if you are a target of interest.
Jose Nelson
Don't be silly, that will only happen if you use (((https)))
Jackson Butler
Because companies host their stuff on their own website.
If the sha256 hash and the content associated come from the same source (same server), the hash is only good for error checking.
Asher Morales
Do you think the NSA can really patch in a backdoor and add enough filler to dupe the MD5 code and keep the file size small enough so that you won't notice?
Angel Garcia
If it's something many people access and do so often, then yes. Like say for example, the linux kernel source code tarballs. Or certain gentoo or arch packages of importance. Use your imagination.
Gabriel Wright
...
Evan Williams
Well fucking duh. You're supposed to verify with other sources that the hash is correct.
Jack Nguyen
If everyone else got the faked file, how do you ever know it is correct?
they don't, it is a crack on demand thing. Not needed for http obviously.
Adrian Morgan
Because theoretically they'd find out at some point if the file is bad. If someone's reported hash from 6 months ago matches yours, you're probably fine.
Mason Rivera
why do companies still have XSS vulns?
why do companies still have SQLi?
why do companies still have RCE?
why do companies still use web?
why do companies be SJW?
why do companies recall 500 products a year?
why do companies run outdated software and software with bad reputations?
why do companies make IoT?
wait if you got a file from a site there's literally no point in it providing a hash unless you have some piece of shit HDD. it either uses HTTP, in which case MiTM can just replace the hash, or HTTPS, in which case the file integrity is already "assured" by HTTPS, and having the hash there provides no extra protection. you should be using something proper like OpenPGP anyway
Zachary Diaz
This
You can use MD5 if it's PGP signed there's nothing to worry about.
Nicholas Gonzalez
but I do
this is a bit more work to check
they have sha256 sums for VirtualBox and Java, though
lolwat?
are you implying that (((https))) is less safe than (((http)))?
if the hash is served over https and the content over http, then it's more than regular error checking.
Chase Thompson
For a firmware updater I wrote, I get hashes over https then download the firmware unencrypted (it's fairly large, about 160MiB). GnuPG would be a bad idea as it's a lot of bloat to have to install on a system, there's a lot of additional complexity in handling all that and maintaining trust, it requires a different set of credentials than everything else, and it requires clock synchronization for proper trust which isn't practical as many networks block NTP (yes I know they shouldn't).
Oliver Green
... which is used to sign the checksums.
Eli Robinson
WAT
any proofs on that?
Caleb Perez
Triggered much? MD5 works fine for checking file integrity. No need to use SHA256 for that. You seem to have the newer == better mentality. You're not right friend.
Nathan Cook
I'll tell you what it is: superior to MD5 in literally every way
Camden Miller
I am proofs. I've been building networking devices for two decades and I'm telling you what I run into.
Austin Gray
Which ports are commonly open besides 443 and 80?
Hunter Murphy
The issue isn't inbound blocking, it's outbound/session blocking. Even when traffic originates inside the network, the replies are thrown out. NTP is the first that caused me trouble as more retards started tinkering with firewalling, but now major websites are often blocking ICMP unreach replies /to their own traffic/. Zendesk does this, for example.
Noah Wright
So in this case which ports are safer to use for traffic that must go in both directions and besides 443 and 80?
Joseph Phillips
I really don't understand what you mean. Safer in what way? What is it that you're trying to do?
Jeremiah Wright
safer = less likely to be blocked in a random oppressive network.
Noah Garcia
and I'm trying to do somewhat censor proof tunnel, but it must not use 443 or 80 ports because (reasons)
Mason Adams
For checking integrity against random bitrot, sure. For verifying whether the package has been tampered with in transit, not so much.
Evan Reed
Oh, what you want is to have a rendezvous outside of the network. Like a STUN server or whatnot - you can reuse whatever anti-NAT tech you prefer. Then establish the connection out and listen on the remote for connections so you don't have to deal with firewalls/IDS blocking incoming.
The VPN service I built for my company uses EC2 boxes for this (I have them connect their branch offices via cellular which are a shitshow for incoming), but be aware that IPs on cloud services are heavily abused and you'll have to deal with being blocked by many websites.