|
|
Boost Users : |
Subject: Re: [Boost-users] Is it safe to download boost_1_67_0-msvc-14.1-64.exe?
From: Gavin Lambert (gavinl_at_[hidden])
Date: 2018-06-28 04:02:07
On 27/06/2018 16:48, degski wrote:
> That is indeed much better [than I thought], but those people who
> download the .exe will not check that as this requires quite a bit of
> knowledge. Just a question of a lay-man in this matter. Can't the server
> make this check before serving the file, or does a setup like that
> actually weaken the security?
If the server is hacked to the point that it is serving a malicious
file, how could you trust it to perform signature validation on an
associated hashfile?
The Right Wayâ„¢ to handle this case for the layperson is to
authenticode-sign the exe file, such that when you try to run it,
Windows will verify the signature and tell you who it was signed by.
Even this still requires that person to (a) know that it was supposed to
be signed and (b) recognise the name of the person or organisation who
signed it and (c) trust that no malicious party has been able to obtain
a certificate with a sufficiently-plausible-sounding name from a
certificate vendor trusted by their OS.
I can't actually check whether the current files are signed or not (or
who by) since apparently my Chrome hates the files and they forever sit
in 100%-downloaded-but-trying-to-virus-scan limbo.
Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net