Comment by npteljes
2 years ago
Getting the signature and the file from the same place is questionable practice in itself. If the place is hacked, then all the hacker needs to do is to just hash his own file, which has happened in at least one high profile case [0]. And this practice doesn't even offer any extra protection if the resource was accessed with HTTPS in the first place.
[0] https://www.zdnet.com/article/hacker-hundreds-were-tricked-i...
No comments yet
Contribute on Hacker News ↗