Do you verify digital signatures for downloaded files before opening them?

Discussion in 'polls' started by herbalist, Sep 22, 2007.

?

Do you check the digital signature for downloaded files?

  1. Always. If a hash is available, I check it.

    12 vote(s)
    14.8%
  2. Usually. I check the hash for sites I don't know well.

    4 vote(s)
    4.9%
  3. Occasionally.

    7 vote(s)
    8.6%
  4. Rarely. Only when I have a reason to be suspicious.

    23 vote(s)
    28.4%
  5. Never. Hash? What's a hash?

    35 vote(s)
    43.2%
  1. herbalist

    herbalist Guest

    Do you compare the digital signature of downloaded files to the ones posted by the site before you open it? This is not about which hash is best and only applies to sites that post a hash for the download. Do you check it at all or just assume that the file is what it's supposed to be?
     
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Always, if a checksum is provided :)
     
  3. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    I dont check digital signatures and I only check hash if I think the download is corrupted, in which case I just download it again anyways.
     
  4. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    No, I just download any software from its homepage or from a trusted source like Softpedia or Filehippo.
    I might check MD5, SHA-1, but only, if I would had a reason to do it, but I just can not come up with any.
     
  5. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    The same for me as TheTOM_SK replied.
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    No, I hardly know how it looks, where to find it, what to do with it and why it is used.
    I always download from the home page, which sometimes refers to another website and I have that website stored in my installation file along with other data, if the software is a keeper of course.
    I don't download any fun stuff, like many years ago, only stuff I can use or need.
     
  7. Thanasis159

    Thanasis159 Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    86
    Νo I don't... I don't even know how to do it!
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    How do I check a hash? :)
     
  9. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    I was going to write that

    :mad:
     
  10. herbalist

    herbalist Guest

    I use Febooti hash and CRC, which adds a tab to the properties menu. It covers most all the popular hashes. Makes it easy. Here's the hash tab for the present SeaMonkey installer.
    hash menu.gif
    The MD5 signatures for Sea Monkey are on this page. All you do is compare the resulting MD5 on the properties tab to the matching version you downloaded. If they match, the file is good. If they don't, it's either a corrupted download or has been compromised. A lot of sites don't post digital signatures so they're not always available. Sites that offer ISO images for operating systems often post them, more as a verification tool to check that the file hasn't been corrupted during downloading. A simple check can save a huge headache.

    So far, I'm very suprised by the poll results.
    Rick
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Why do you think is it that this just doesn't surprise me that another Windows 98 loyal would discover something as completely useful as this app among a flood of others. :cool:

    Thanks so much for sharing herbalist
     
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Me too o_O
     
  13. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    HashTab is another nice extension, which integrates into properties as a shell, there is 32-bit and 64-bit version (checks for MD5, SHA1, CRC32).
     
  14. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I am also one of them that doest check hash and md5, mainly because I dont know why I should do that.
    Someone care to explain why it is important?
     
  15. Dogbiscuit

    Dogbiscuit Guest

    Didn't you read herbalist's post #18?
     
  16. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Nope, I cant read the future yet ;)

    But I guess you mean his post 10?

    Ok a file is corrupted, wont I discover that when I try to execute it? Do I have to have a md5 check to tell me something I probably will find out a couple of seconds later? In what way does a corrupted file (If corrupted means not executable? )

    If I download from say betanews, how does the file get compromised between my click on the file and the time it takes to download it?

    By compromised you mean that a bad guy has put in some malicious code into the legit program?
    Sorry, if these questions seems like stupid, but I am trying to understand how it is dangerous to me not check these digital sigs(after xx years of downloading files from the net)
     
  17. Dogbiscuit

    Dogbiscuit Guest

    Oops.

    I recently downloaded an ISO image for PCLOS. The MD5 values didn't match, so it saved me a wasted CD-R.
     
  18. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    It can not not, it just can be damaged and you have no way of find out (unless you check its signature). For more details look here - PDF File. If it is damaged, it might work, but it would result in some bugs, eg ISO image of an OS could not be installed and if it would, then something in it would not work properly and so on.

    A file can be compromised, when someone would add something to it and put already compromised file to be downloadable from somewhere (not the original or trusted source, though it might happen). That is why MS do not like hotfix packs, because malware authors could add something to them and common users have no way to find out, if some rootkit would install with it. There were compromised setups, do not remember which, but it was like Spybot infected with malware, so if you would check MD5 from the homepage with the downloaded file, you would find out, that it was tampered with it. But the point is to have MD5 of a clean file and that is the problem. Lets say, that you would be going to download a firewall from unknown webpage, they can put there MD5 of an already infected file and why to download a file from somewhere and check MD5 from its homepage, when it is easier to download it from hompage already, so MD5 check is kind useless.
     
  19. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Thanks for your explanation TheTom_SK.

    But if a download has been tampered with and they put a trojan or a rootkit into it, wouldnt my AV kick in then? (if it is able to detect that specific trojan, rootkit or through heuristics that is) like it does if you would download a cracked software that has been infected with a trojan?
    As you say if a unknown web page puts their MD5 on a infected file, I would have to rely on my AV nevertheless.

    So, if I understand this right, this digital sig checking is just another layer of defense? It is not the protection. You can do well with a good AV without checking the signatures?
    Personally I have scaled down my layers of defense since I seem to be a safe surfer and downloader (learn´t through years of using HIPS) and want to make things as simple as possible.
     
  20. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    Unfortunately, most websites don't provide the hash key to check against. Space limitations perhaps?
     
  21. IS200

    IS200 Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    32
    Location:
    pc repair dublin
    I never check the sig, but I only download from legit sites.
     
  22. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Never.
     
  23. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Never checked digital signatures before... dont plan to either in the near future at least
     
  24. norman6810

    norman6810 Registered Member

    Joined:
    Jun 1, 2007
    Posts:
    67
    Location:
    PRChina
    I check the hash for sites I don't know well.
    It is very necessary!
     
  25. progress

    progress Guest

    Never :( Download.com should be ok :)
     
Loading...