I have one doubt here. Hash of a file changes if the file changes. So when we download a file and its hash and then compute the hash and compare it with downloaded hash to see if there was any alteration in the file or not. But lets say some attacker changed the contents of the file then what is stopping him from also changing the hash to match the hash of new file he has put on the server ? Does it mean this method of comparing of hashes - doesn't help in ensuring integrity when an attacker is involved but it only - ensures integrity against some kind of download error due to which we might have downloaded a large file with some distortion or it stopped downloading after partial download
Only thing hash does is verify the "integrity" of a message/file/data. In Cyber Security, everything is interconnected. Compromised security of A could lead to B getting compromised and eventually may lead to C getting compromised. Although an attacker could modify the content and its hash, Message Digest is still doing what it's intended to do. Only thing that failed was the cyber security system's inability stop the attacker. Does it make sense?
@@CyberHashira yes. It verifies the file you intended to get, avoiding for example a hijacked link acting as the file but was tempered with. The hash wouldnt match.
You are correct the hash could be changed by a middle man. The hash is normally downloaded from separate location, like from a primary https website which is difficult to attack, the bulk data file can then be downloaded from many places such as mirrors and torrents. A hash and file downloaded from a single source will only verify the data was not corrupted by mistake. A gpg signature on the hash file can verify that the hash came from the original author. But a gpg signature does not work in rare cases where the author needs to remain completely anonomous.
Hello Mahmoud, Good Question! wget command wasn't able to verify the authenticity of a certificate on that machine. It wasn't able to find the collection of trusted root certificate. Without --no-check-certificate, wget command would not trust the link and therefore not download the package I was trying to download.
First video was great. Liked & subscribed to channel. 👍Now watching others
Thank you so much..
I have one doubt here. Hash of a file changes if the file changes. So when we download a file and its hash and then compute the hash and compare it with downloaded hash to see if there was any alteration in the file or not. But lets say some attacker changed the contents of the file then what is stopping him from also changing the hash to match the hash of new file he has put on the server ? Does it mean this method of comparing of hashes
- doesn't help in ensuring integrity when an attacker is involved but it only
- ensures integrity against some kind of download error due to which we might have downloaded a large file with some distortion or it stopped downloading after partial download
Only thing hash does is verify the "integrity" of a message/file/data. In Cyber Security, everything is interconnected. Compromised security of A could lead to B getting compromised and eventually may lead to C getting compromised. Although an attacker could modify the content and its hash, Message Digest is still doing what it's intended to do. Only thing that failed was the cyber security system's inability stop the attacker. Does it make sense?
@@CyberHashira yes. It verifies the file you intended to get, avoiding for example a hijacked link acting as the file but was tempered with. The hash wouldnt match.
@@Benemortasia666 correctamundo!
@@CyberHashira yes makes sense. hash is still doing what its supposed to do.
You are correct the hash could be changed by a middle man. The hash is normally downloaded from separate location, like from a primary https website which is difficult to attack, the bulk data file can then be downloaded from many places such as mirrors and torrents.
A hash and file downloaded from a single source will only verify the data was not corrupted by mistake. A gpg signature on the hash file can verify that the hash came from the original author. But a gpg signature does not work in rare cases where the author needs to remain completely anonomous.
Hello sir, thank you for this great video, could i ask why you choose to ignore the certificate whene downloading files (--no-check-certificate)
Hello Mahmoud, Good Question!
wget command wasn't able to verify the authenticity of a certificate on that machine. It wasn't able to find the collection of trusted root certificate. Without --no-check-certificate, wget command would not trust the link and therefore not download the package I was trying to download.
how can I get the execution time for each operation (SH1-1/SHA256)?
on unix/linux -
> time openssl sha1 somefile
How could we verify pgp/asc files??
This video doesn't cover PGP/GPG. Hope you tried google.
@@CyberHashira yes but couldn't get how to do it exactly. It will be good if you can cover in the latest videos.
Thank you
You're welcome...