Re: [whatwg] checksum attribute in a href tag from Ian Hickson on 2012-10-24 (public-whatwg-archive@w3.org from October 2012)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 24 Oct 2012 16:28:40 +0000 (UTC)
To: Mikko Rantalainen <mikko.rantalainen@peda.net>
Cc: whatwg@lists.whatwg.org
Message-ID: <Pine.LNX.4.64.1210241623070.2471@ps20323.dreamhostps.com>

On Wed, 24 Oct 2012, Mikko Rantalainen wrote:
> 
> Checksum can help even with encrypted connections.
> 
> Example scenario:
> 
> User connects to https://download.manufacturer.com/ and clicks link
> 
> <a href="phone-firmware-15.img" 
> checksum="MD5:32c3675211199b671fbca1304d819289;SHA1:6e1ddeede3979c953788a3499616af35ee5fd772">Firmware 
> version 15</a>
> 
> The download then starts and file gets saved to the filesystem. However, 
> the system has memory corruption and despite the fact that the file got 
> to the user agent intact, the file will end up as corrupted to the 
> filesystem.
> 
> However, if user agent had computed and verified the checksum after 
> re-reading the file back from the local filesystem, it would have 
> noticed the error.
>
> You might think that memory corruption is rare but trust me, it happens 
> often enough to be worried about.

Memory corruption is indeed more common than people realise. But that's 
not the important question. The important question is, does memory 
corruption occur more often than mistakes in the checksum="" value will 
occur? More often enough that when people get the message that there was a 
download error, they'll trust the message rather than assuming it's just 
"yet another" false positive?

Anyway, if you have memory corruption there's nothing to say the 
corruption won't occur _after_ you've done the checksum verification. In 
particular, there's nothing to say it'll happen between receiving and 
decoding the packets over TLS and comparing the packets to the checksum, 
and not either before (in which case TLS will catch it as part of its own 
integrity checking) or after (in which case the checksum won't help). 
That's a pretty narrow window.

My guess would be that people will screw up their hidden metadata (e.g. 
updating the .img file without updating the HTML file) more often, much 
more often, than the checksum will catch an error.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 24 October 2012 16:29:08 UTC