Wiki Navigation

Link Fingerprints

Link Fingerprints are an easy, transparent way to add meta-data to download links.
This document outlines the Fingerprints dTa supports and is targeted at webmasters.

General

A Link Fingerprint, as supported by dTa, is a piece of information embedded into the fragment part of a link.
For example:

http://example.org/somesite#hash(type:data)

There is currently no official standard for Link-Fingerprints, but the de-facto standard, as dictated by the available implementations, looks like this.

Checksums/Data Verification

Gerv proposed Link Fingerprints carrying checksums that can be used to verify data.
To get more information read the proposal: http://www.gerv.net/security/link-fingerprints/ dTa, however, differs in some ways from the original proposal:

Additionally to md5 and sha256, sha1 is supported (sha384, sha512 will follow, probably others as well).
The dTa authors discourage using md5, as this hash algorithm is broken, that is collisions can be found in just hours. It is therefore encouraged to use either sha256 (no known vulnerabilities) or sha1 (known vulnerabilities, but still sha1 does is not considered broken).
If a download checksum mismatches the link fingerprint checksum then the user is given the choice to Retry/Delete file/Keep data. Gerv's proposal (which he pushes to get included into Firefox 3.0) will always delete the data.

Checksums cannot really enhance the security of a download (this statement differs from Gerv's claims).
It may protect against file mirrors serving bad data, but that's all from security point.
If the base server is compromised, the attacker could easily replace or remove the Link-Fingerprint from the Hyperlink pointing to the download.

However, checksums provide a great way to safe-guard against data-corruption during transfers, especially for multi-server (mirrored) downloads.

Examples

http://example.org/somefile#hash(md5:b04abf1a9a3af8cfff32b330681fbcec)
http://example.org/somefile#hash(sha1:358975b1ca5a12836468bba77d8a1cefbeea71bc)
http://example.org/somefile#hash(sha256:50fc3517ac5b9c22155335c412aae33ebbe9ea76194ff0a7ca29ee1e63293c2e)

Generating checksums

There is a range of tools capable of generating the checksums/hashes for a given file.

On *nix there is md5sum, sha1sum and (newer distros) sha256sum.
For Windows the GNUWin32 CoreUtils package provides md5sum and shasum.
OpenSSL (available for almost all platforms incl. Windows) is capable of producing hashes using "openssl dgst -sha256 < file" (-md5, -sha1)
GnuPG (available for almost all platforms incl. Windows) will produce hashes using "gpg -print-md sha256 < file" (md5, sha1). However don't forget to remove the spaces from the output ;)

Metalink

Metalink is a download definition language derived from XML. You may use it to describe downloads more thoroughly incl. mirror locations and file checksums/cryptographic signatures, target operating systems or language of a package.
More and more download managers support metalinks, and more and more webmasters take advantage of it, e.g. a lot of Free and Open Source Software vendors, like Linux distributors use it to describe their downloads.

DownThemAll currently supports file selection (if multiple files are specified), mirrors and whole-file checksums verification.

For more information go to the metalink site: http://metalinker.org/

dTa supports the Link-Fingerprint syntax additionally to using .metalink files directly.

Examples

http://www.example.com/file.ext#!metalink3!http://www.example.com/file.ext.metalink

Download in other formats:

Plain Text