I would like to know the official SHA-256 or SHA-512 hashes of the following Quartus d/l files: Quartus-pro-18.1.0.222-devices-3.tar Quartus-pro-18.1....

JGurn · ‎12-18-2018

The official site only has md5 sums, which can have collisions easily created, and the official site serves them over HTTP, so the attacker wouldn't even need to create a collision, the attacker could just change the md5 on the page to their malware infected version.

Not being able to verify that the d/l official came from Intel means that it increases the chances that my machine will be infected w/ malware.

Note: if you're a user (not an official Intel rep), posting your hashes only marginally helps. W/o knowing your path and ensuring it is disjoint from mine just means we could be attacked by the same attacker. Best is to get an official statement from an Intel employee as to the hash.

HRZ · ‎12-19-2018

I agree that MD5 is already far outdated and that downloads should be served over HTTPS, but if an attacker has tapped so deep into your network that he can capture, modify and replay your connections, there are far easier ways to infect you than going for a real-time chosen-prefix collision on 10-20 GB Quartus archives.

You could probably provide your feedback directly to Intel in this case through the Website Feedback form:

https://www.intel.com/content/www/us/en/forms/corporate/webmaster-contact-us.html

I would like to know the official SHA-256 or SHA-512 hashes of the following Quartus d/l files: Quartus-pro-18.1.0.222-devices-3.tar Quartus-pro-18.1.0.222-linux.tar