A drug dealer with a heavily armed escort delivers a package of white powder. New problem: is it cocaine, cleaning detergent, anthrax, or some mixture of the former?
I suppose if the only way to obtain the patch were through an automated download from the AMD website, the authentication through the site certificate would be better than nothing. But this is a security patch, and I think the researcher is right in pointing out that the bar needs to be higher?
My version of questioning this is if the same source is providing both the file and the hash, does it matter how hard it is to fake the hash? It could just generate a new hash for the fake file, couldn’t it?
Do you really need signing if you’re using HTTPS though?
Lots of downvotes but no actual answer to your question.
I assume it’s in case some third parties redistribute the binaries so end users can still check them? Mirrors, internal IT update mechanisms, idk
HTTPS is privacy in transit. It has no say into what’s being downloaded.
A drug dealer with a heavily armed escort delivers a package of white powder. New problem: is it cocaine, cleaning detergent, anthrax, or some mixture of the former?
I suppose if the only way to obtain the patch were through an automated download from the AMD website, the authentication through the site certificate would be better than nothing. But this is a security patch, and I think the researcher is right in pointing out that the bar needs to be higher?
My version of questioning this is if the same source is providing both the file and the hash, does it matter how hard it is to fake the hash? It could just generate a new hash for the fake file, couldn’t it?