- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The official site only has md5 sums, which can have collisions easily created, and the official site serves them over HTTP, so the attacker wouldn't even need to create a collision, the attacker could just change the md5 on the page to their malware infected version.
Not being able to verify that the d/l official came from Intel means that it increases the chances that my machine will be infected w/ malware.
Note: if you're a user (not an official Intel rep), posting your hashes only marginally helps. W/o knowing your path and ensuring it is disjoint from mine just means we could be attacked by the same attacker. Best is to get an official statement from an Intel employee as to the hash.
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree that MD5 is already far outdated and that downloads should be served over HTTPS, but if an attacker has tapped so deep into your network that he can capture, modify and replay your connections, there are far easier ways to infect you than going for a real-time chosen-prefix collision on 10-20 GB Quartus archives.
You could probably provide your feedback directly to Intel in this case through the Website Feedback form:
https://www.intel.com/content/www/us/en/forms/corporate/webmaster-contact-us.html
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page