0

Just out of curiosity - Ubuntu and other Linux distributions tell users to verify downloaded .ISOs against the SHA256 hash of the .ISO.

1 - Since the SHA256 hash value is hosted on the same website as the .ISO file, isn't it equally vulnerable to an attacker who wants to distribute hacked images? If an attacker manages to substitute his own hacked .ISO file, why can't he also substitute the SHA256 hash with one that matches his hacked .ISO?

2 - Don't the standard file transfer protocols (TCP, SFTP, https, BitTorrent...) have sufficiently long CRCs to practically prevent bit errors creeping unnoticed into downloads? If not, why not?

nerdfever.com
  • 203

1 Answers1

4

Many common questions here at AskUbuntu are from users encountering mysterious problems that --after some troubleshooting-- turn out to be apparently caused by corrupted or incomplete installer downloads or mis-made LiveUSBs.

When those users carefully re-download and re-make the LiveUSB properly, the mysterious problems vanish and the system behaves normally.

Checking the hash is one easy troubleshooting tool to confirm that the installer download is correct. So you're not wasting effort troubleshooting the wrong step in the process. There are different troubleshooting tools and techniques for different steps.

user535733
  • 68,493