ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Toolkit

Talkback

Post a comment


Story: Peer-to-peer networks carry surprising cargo

  • Previous comment

Posted by: Craig Ringer (Wednesday 11 August 2004, 10:25 AM)

  • Reply

You don't know what you're getting with peer to peer.

Hmm. I disagree. It is very common in free and open source software circles to distribute software using BitTorrent, mirror sites, and other methods out of the direct control of the initial distributor. Nonetheless, high confidence can be had that the file has not been tampered with by validating an extremely hard to forge checksum (the "MD5 sum") provided by the original distributor on their website.

Near total confidence - much better than the confidence one can have that Windows Update has not been tampered with - can be had by validating a digital signature on the update using cryptographic security programs such as PGP or GPG.

It would not be at all difficult for Microsoft to publish an MD5sum and a small, easy to use utility to validate it. It would be almost as trivial to provide a simple program that uses the existing digital signature verification in Windows to validate a signature on the update. The total download size of these files could easily be under a megabyte, probably only a few hundred kb, and would save Microsoft a lot of load on their servers.

So - you can, indeed, know exactly what you're getting with P2P, as well as or even better than with unsigned updates from a central source that could theoretically be trojaned.

  • Previous comment

  • Reply to this comment
  • Return to story
  • Report this as offensive


Full Talkback thread