Skip to main content
Unix & Linux

Return to Question

Became Hot Network Question
edited tags
Link
Jeff Schaller
Jeff Schaller
  • 68.8k
  • 35
  • 122
  • 264
Minor corrections
Source Link
terdon
terdon
  • 252.2k
  • 69
  • 480
  • 718

Why verifingis verifying downloads with MD5 hash is considerd unsecureconsidered insecure?

I have downloaded a debian isoDebian ISO with jigdojigdo, the download is successfullyhas finished successfully, and printprinted the following message:

FINISHED --2021-01-22 11:57:20--
Total wall clock time: 4.3s
Downloaded: 9 files, 897K in 1.8s (494 KB/s)
Found 9 of the 9 files required by the template                                                                                                  
Successfully created `debian-testing-amd64-netinst.iso'

-----------------------------------------------------------------
Finished!
The fact that you got this far is a strong indication that `debian-testing-amd64-netinst.iso'
was generated correctly. I will perform an additional, final check,
which you can interrupt safely with Ctrl-C if you do not want to wait.

MD5 from template: l2l48nbYVylT4qrQ0Eq3ww
MD5 from image:    l2l48nbYVylT4qrQ0Eq3ww
OK: MD5 Checksums match, image is good!
WARNING: MD5 is not considered a secure hash!
WARNING: It is recommended to verify your image in other ways too!

Debian offeroffers three ways to verify an ISO image ,: sha1sums  , md5sums and sha256sums. The sha1sum is considered vulnerable to collision attack but nothing isI have heard nothing about MD5.

Why MD5SUM is MD5SUM considered unsecurean insecure hash? DoesIs the SHA256SUM is the only secure way to verify a downloaded debian ISO?

Why verifing downloads with MD5 hash is considerd unsecure?

I have downloaded a debian iso with jigdo, the download is successfully finished and print the following message:

FINISHED --2021-01-22 11:57:20--
Total wall clock time: 4.3s
Downloaded: 9 files, 897K in 1.8s (494 KB/s)
Found 9 of the 9 files required by the template                                                                                                  
Successfully created `debian-testing-amd64-netinst.iso'

-----------------------------------------------------------------
Finished!
The fact that you got this far is a strong indication that `debian-testing-amd64-netinst.iso'
was generated correctly. I will perform an additional, final check,
which you can interrupt safely with Ctrl-C if you do not want to wait.

MD5 from template: l2l48nbYVylT4qrQ0Eq3ww
MD5 from image:    l2l48nbYVylT4qrQ0Eq3ww
OK: MD5 Checksums match, image is good!
WARNING: MD5 is not considered a secure hash!
WARNING: It is recommended to verify your image in other ways too!

Debian offer three ways to verify an ISO image , sha1sums  , md5sums and sha256sums. The sha1sum is considered vulnerable to collision attack but nothing is heard about MD5.

Why MD5SUM is considered unsecure hash? Does the SHA256SUM is the only secure way to verify a downloaded debian ISO?

Why is verifying downloads with MD5 hash considered insecure?

I have downloaded a Debian ISO with jigdo, the download has finished successfully, and printed the following message:

FINISHED --2021-01-22 11:57:20--
Total wall clock time: 4.3s
Downloaded: 9 files, 897K in 1.8s (494 KB/s)
Found 9 of the 9 files required by the template                                                                                                  
Successfully created `debian-testing-amd64-netinst.iso'

-----------------------------------------------------------------
Finished!
The fact that you got this far is a strong indication that `debian-testing-amd64-netinst.iso'
was generated correctly. I will perform an additional, final check,
which you can interrupt safely with Ctrl-C if you do not want to wait.

MD5 from template: l2l48nbYVylT4qrQ0Eq3ww
MD5 from image:    l2l48nbYVylT4qrQ0Eq3ww
OK: MD5 Checksums match, image is good!
WARNING: MD5 is not considered a secure hash!
WARNING: It is recommended to verify your image in other ways too!

Debian offers three ways to verify an ISO image: sha1sums, md5sums and sha256sums. The sha1sum is considered vulnerable to collision attack but I have heard nothing about MD5.

Why is MD5SUM considered an insecure hash? Is the SHA256SUM the only secure way to verify a downloaded debian ISO?

Source Link
GAD3R
GAD3R
  • 69.9k
  • 32
  • 147
  • 216

Why verifing downloads with MD5 hash is considerd unsecure?

I have downloaded a debian iso with jigdo, the download is successfully finished and print the following message:

FINISHED --2021-01-22 11:57:20--
Total wall clock time: 4.3s
Downloaded: 9 files, 897K in 1.8s (494 KB/s)
Found 9 of the 9 files required by the template                                                                                                  
Successfully created `debian-testing-amd64-netinst.iso'

-----------------------------------------------------------------
Finished!
The fact that you got this far is a strong indication that `debian-testing-amd64-netinst.iso'
was generated correctly. I will perform an additional, final check,
which you can interrupt safely with Ctrl-C if you do not want to wait.

MD5 from template: l2l48nbYVylT4qrQ0Eq3ww
MD5 from image:    l2l48nbYVylT4qrQ0Eq3ww
OK: MD5 Checksums match, image is good!
WARNING: MD5 is not considered a secure hash!
WARNING: It is recommended to verify your image in other ways too!

Debian offer three ways to verify an ISO image , sha1sums , md5sums and sha256sums. The sha1sum is considered vulnerable to collision attack but nothing is heard about MD5.

Why MD5SUM is considered unsecure hash? Does the SHA256SUM is the only secure way to verify a downloaded debian ISO?