Hello,
its well known that MD5 is completely outdated and not secure anymore!!!
My suggestion is, to switch to sha256 in combination with a PGP.signature !!!
best regards
Reversbit
No Idea what exactly you mean but I can recall reading during the installation process something of sha256 already
Our installer uses sha256. Right click the file and choose properties then check the digital sig. The hash is just to verify you are actually downloading our actual file, before you execute it on your PC at all.
Hello,
i know that the installer is digitally signed, my suggestion was to proper verify that a new version of Glasswire isnt tampered with. If you post the SHA 256 information of the latest Glasswire (exe) in touch with a PGP - signature, its very difficult to alter it. (Possible attack patterns: MIM Attack for example or a dirty exit node )
best regards
Reversbit
Can you give some examples of other websites/software that do this? It will help us understand how to do it better. Thanks.
I don’t understand how it might look/work 100%, that’s why I ask.
Hello,
ok quit easy for example the successor of Truecrypt is Veracrypt - its a very crucial part that your encryption programm is indeed untouched by any third party. If its 100% opensource its no big deal to build your own exe or container like deb in linux.
“https://veracrypt.codeplex.com/wikipage?title=Downloads”
Veracrypt uses only a PGP.signature.I assume that you know what PGP is an how it works.
First of all you need to post on the webpage the ID & Fingerprint of your public Key. Thats very crucial because a third party could intercept the download of your public key.
After that the user can verify that your public key is indeed the right one, if the public key is well known other persons/parties can also sign it to push the trustworthy of it.
The last step is that the user downloads the signature file and verifies the integrity of the file = good or bad signature!
A bonus is, if you put a integrity check on the page where now the old MD5 stands an write there: SHA256 and the the checksum. For the fast ones 
Because PGP isnt well known, i would recommend that you put a link to the signature file like the Tor-guys use “Whats a signature - how do i check it” – “https://www.torproject.org/docs/verifying-signatures.html.en”
Hopefully it helped !
best regards
reversbit
1 Like
That’s very cool. Thank you, we’ll check all of this out!
your hash section on the homepage is linking to the Microsoft page that offers a hashing utility that only supports sha1 or md5, while the hash you put on the download page and changelog is created using sha256 but that’s not mentioned anywhere clearly.
We had some complaints about our sha1 hash, so we switched over to sha256. Perhaps we will switch to md5 on the next update. Which would you prefer?
i suggest using mutiple hash algorithem to gernerate the codes.It will be very difficult to collide if the filesize and mutiple hash codes are given.
1 Like
For the next update we will probably just mark it with SHA256 so it’s less confusing.
We marked the download page now where it says SHA256. https://www.glasswire.com/download/ Scroll down the page to see. Thanks for all your feedback.
1 Like