Re: Is there any security risk using p2p client ?

[Dave Sherohman <dave@sherohman.org>]

On Sun, Aug 16, 2009 at 12:05:08PM +0300, ?????????????? ???????????? wrote:
> Is that so? The torrent file you download from debian (= you trust
> that), doesn't contain the checksum?

If you're verifying the checksum, then you implicitly don't trust the
file 100%.  And you shouldn't have 100% trust in any file obtained over
the public internet unless solid end-to-end encryption is in place to
secure the transfer against man-in-the-middle attacks, DNS-based attacks
(which could result in you downloading from a different source than you
think you're getting it from), etc.  This goes double for any sort of
p2p download, since the whole point of p2p downloads is that you're
getting small pieces of the file from many different sources, meaning
that any one of those sources could potentially have maliciously altered
the pieces they're giving you.

If you don't trust the file 100%, then why would you trust the checksum
it contains?  A maliciously-altered file would almost certainly also
contain a new checksum which matches the altered version of the file.

Always obtain your checksums via an alternate (cryptographically-
secured) path, not directly from the data they're being used to verify.

-- 
Dave Sherohman