Show HN: Hash Archive helps you verify the hashes of insecure downloads

PowerShell 4.0, shipped with Windows 8 and above, has a pretty simple Get-FileHash command built in, so you don&#x27;t need a separate download on those platforms. (On Windows 7 you still need either the download you link to, or a manual upgrade to PowerShell 4.0.)<p><a href="https:&#x2F;&#x2F;technet.microsoft.com&#x2F;en-us&#x2F;library&#x2F;dn520872.aspx" rel="nofollow">https:&#x2F;&#x2F;technet.microsoft.com&#x2F;en-us&#x2F;library&#x2F;dn520872.aspx</a><p>I believe the syntax is just<p><pre><code> Get-FileHash [file] -Algorithm SHA256</code></pre>

The author&#x27;s other project, <a href="https:&#x2F;&#x2F;github.com&#x2F;btrask&#x2F;stronglink" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;btrask&#x2F;stronglink</a> looks fairly interesting too - &#x27;A searchable, syncable, content-addressable notetaking system&#x27;.

Great idea for a project. Nice job.<p>It says in the About section on the home page &quot;Unless someone can intercept your local traffic and our traffic to a site, you&#x27;ll be able to spot MITM attacks&quot;. I&#x27;d argue that this is not entirely true. If an attacker operating as a MITM can intercept all local traffic (e.g. via some form of DNS attack), they do not need to control the traffic from hash-archive.org to 3rd party sites. They simply need to control how hash-archive.org is presented to the victim. In theory, the attacker could serve up a bogus version of hash-archive.org that appears to be legitimate but is returning falsified hashes that match the malicious downloads they have intercepted elsewhere.<p>You might claim this is not possible because hash-archive.org runs over HTTPS so an attacker would also have to somehow generate a valid SSL certificate signed by a trusted CA. This is true but if someone types hash-archive.org into their browser URL bar, the initial request is made over HTTP. The legitimate hash-archive.org redirects the client to HTTPS seamlessly but a fraudulent hash-archive.org could just keep the victim on HTTP.<p>To provide some mitigation against this type of attack, you could do a couple things:<p>* Only allow hash-archive.org to be accessed over HTTPS (port 443). Close port 80. [EDIT: in fact, this doesn&#x27;t really help all that much because the MITM can still try serve their bogus version of hash-archive.org over HTTP]<p>* Set the HTTP Strict Transport Security header (HSTS) [1]. After the first visit to the legitimate hash-archive.org, compliant browsers will only ever allow future visits to be made over HTTPS.<p>For good measure, you could also set up HTTP Public Key Pinning (HPKP). HPKP is a &#x27;security feature that tells a web client to associate a specific cryptographic public key with a certain web server to prevent MITM attacks with forged certificates.&#x27; [2]<p>[1] <a href="https:&#x2F;&#x2F;developer.mozilla.org&#x2F;en-US&#x2F;docs&#x2F;Web&#x2F;Security&#x2F;HTTP_strict_transport_security" rel="nofollow">https:&#x2F;&#x2F;developer.mozilla.org&#x2F;en-US&#x2F;docs&#x2F;Web&#x2F;Security&#x2F;HTTP_s...</a><p>[2] <a href="https:&#x2F;&#x2F;developer.mozilla.org&#x2F;en&#x2F;docs&#x2F;Web&#x2F;Security&#x2F;Public_Key_Pinning" rel="nofollow">https:&#x2F;&#x2F;developer.mozilla.org&#x2F;en&#x2F;docs&#x2F;Web&#x2F;Security&#x2F;Public_Ke...</a>

Fantastic! While not as bulletproof as receiving the hash out-of-band for a critical resource, this is better than verifying against a hash received from the same origin as the resource, and far better than no hash verification at all. And because this is FOSS, we can be gain some protection against the compromise or MITM of a single, central hash-archive server when many of them are deployed by distinct entities on different public domains.<p>One request: there are lots of users who would be well-served by a way to compute hashes in-browser via the WebCryptoAPI [1]. Would you consider accepting this feature into hash-archive? For users who aren&#x27;t able to install or have difficulty using a hash calculator locally, this would enable verification of downloaded files in a one-stop online workflow.<p>[1] <a href="https:&#x2F;&#x2F;www.w3.org&#x2F;TR&#x2F;WebCryptoAPI&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.w3.org&#x2F;TR&#x2F;WebCryptoAPI&#x2F;</a><p>edit: I stood up an instance here, and I&#x27;ll make an effort to keep it running and updated: <a href="https:&#x2F;&#x2F;hash-archive.probablybroken.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;hash-archive.probablybroken.com&#x2F;</a>

Pretty cool. Could this be made into a browser extension that alerts you if there&#x27;s a difference?

It would be nice if there was an easy way to copy the hashes for example to diff it against what you computed. As it is now, the page is laid out so that it is hard to copy just the hash.