md5 integrity testing is insufficient

The youtrack page only gives me md5 sums, but md5 sums are totally insufficient for integrity testing. And you can't even download the files with HTTPS because your certificate is invalid (valid for www.jetbrains.com and not download.jetbrains.com).

http://www.jetbrains.com/youtrack/download/download_thanks.jsp

Please see this for an explanation and demo of how easy it is to break md5:

http://www.mscs.dal.ca/~selinger/md5collision/

It is not safe these days to run downloaded software that you can't verify. Please use at least HTTPS+sha1, but preferrably sha256 or PGP signatures. It is standard practice in many other places.

http://software.opensuse.org/131/en => provides md5, sha1, pgp
https://fedoraproject.org/en/verify => provides sha256, pgp
http://mirror.netcologne.de/apache.org/httpd/ => provides md5, pgp
https://help.ubuntu.com/community/VerifyIsoHowto => fails horribly by using gpg only on the md5sums :D but there are also sha256 sums here http://releases.ubuntu.com/14.04.1/ (sums files don't need HTTPS as long as the public key to verify the signature is security acquired)
1 comment
Comment actions Permalink
Hello,

Thanks for noticing this!
We work on making our downloads work via https.
0

Please sign in to leave a comment.