I have never checked and compared the MD5 hash to the real MD5 hash at programs homepages. Programs which I have downloaded have always worked.
Is it possible that someone can put their own code during downloading?
The MD5 hash function was originally designed for use as a secure cryptographic hash algorithm for authenticating digital signatures. But MD5 has been deprecated for uses other than as a noncryptographic checksum to verify data integrity and detect unintentional data corruption.
An MD5 hash is a form of validation. If a single bit in the file is different, the provided hash will not match the one generated from the file you downloaded. This alerts you to an error in transmission or foul play (rare).
Its main purpose is to verify that a file has been unaltered. Instead of confirming that two sets of data are identical by comparing the raw data, MD5 does this by producing a checksum on both sets and then comparing the checksums to verify that they're the same.
MD5 is an older cryptographic hash function that is no longer considered secure for many applications. It turns data of any length into a fixed-length output. This output has a range of useful properties. These properties make MD5 safe for data identification and for verifying whether data has been corrupted.
A hash provides a (sort of) unique identifier for a file based on its contents. With lossy connections and poor transmission methods, as well as malicious file copies floating around, a hash provides a way of proving your file is the same file you tried downloading from the server.
You validate it by hashing the copy of the file you got, and seeing if the hashes are the same.
People can inject nasty code, change out the file being downloaded, or you could just get a corrupt download.
In terms of corrupt downloads, it's pretty rare. I don't think I've ever had a corrupted download except if it somehow got truncated and the error not reported (old FTP clients back in the day).
There might be some security benefit if you're downloading from a mirror, and you trust the real site (which publishes the MD5) more than you trust the mirror (which might be out of date, or evil, or buggy, or pwned, or something, and so might a caching web proxy between it and you). Pretty unlikely situation, though, since there's normally no reason to think that the main site is any more or less trustworthy or secure than the mirror. Still, it's a second opinion.
I don't usually bother checking published checksums unless there's a particular reason to think that they are correct and the download isn't secure (e.g. the checksum is on an https URL and the download isn't). If you're worried about evil-doers then you need signing, not just an insecurely-transmitted checksum.
I do occasionally use the hash-based virus scan reports at virustotal, though. I guess a published MD5sum could allow you to virus-check the file before even downloading it, and then you'd have to check the sum after download to confirm that the value you virus-checked really was for the file you downloaded.
Note that MD5 checksums are not secure if the evil-doer generates the genuine file as well as the dodgy virus-loaded one. It's possible to generate MD5 collisions, although there is not (yet) a full pre-image attack. Anyone serious about security has switched to SHA256 sums where possible. Which is less than you might hope, for legacy and resource reasons.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With