I have never checked and compared the MD5 hash to the real MD5 hash at programs homepages. Programs which I have downloaded have always worked.
Is it possible that someone can put their own code during downloading?
I have never checked and compared the MD5 hash to the real MD5 hash at programs homepages. Programs which I have downloaded have always worked.
Is it possible that someone can put their own code during downloading?
A hash provides a (sort of) unique identifier for a file based on its contents. With lossy connections and poor transmission methods, as well as malicious file copies floating around, a hash provides a way of proving your file is the same file you tried downloading from the server.
You validate it by hashing the copy of the file you got, and seeing if the hashes are the same.
People can inject nasty code, change out the file being downloaded, or you could just get a corrupt download.
Is it possible that someone can put their own code during downloading?
Yes. If the download is done via unencrypted HTTP, then it's being routed through a number of networks, and there most definitely is an opportunity for people to manipulate it and insert a trojan or virus.
And this is exactly the goal of the MD5 checksums for downloads, though this is of course not perfect security, since the checksum may be manipulated in the same way. But it would require more effort and coordination on the part of the attacker.
All in all, this is not a very common problem though, since there are other vectors of attack that are currently much more useful for bad guys (mainly webbrowser vulnerabilities).
An MD5 hash is a form of validation. If a single bit in the file is different, the provided hash will not match the one generated from the file you downloaded. This alerts you to an error in transmission or foul play (rare).
In terms of corrupt downloads, it's pretty rare. I don't think I've ever had a corrupted download except if it somehow got truncated and the error not reported (old FTP clients back in the day).
There might be some security benefit if you're downloading from a mirror, and you trust the real site (which publishes the MD5) more than you trust the mirror (which might be out of date, or evil, or buggy, or pwned, or something, and so might a caching web proxy between it and you). Pretty unlikely situation, though, since there's normally no reason to think that the main site is any more or less trustworthy or secure than the mirror. Still, it's a second opinion.
I don't usually bother checking published checksums unless there's a particular reason to think that they are correct and the download isn't secure (e.g. the checksum is on an https URL and the download isn't). If you're worried about evil-doers then you need signing, not just an insecurely-transmitted checksum.
I do occasionally use the hash-based virus scan reports at virustotal, though. I guess a published MD5sum could allow you to virus-check the file before even downloading it, and then you'd have to check the sum after download to confirm that the value you virus-checked really was for the file you downloaded.
Note that MD5 checksums are not secure if the evil-doer generates the genuine file as well as the dodgy virus-loaded one. It's possible to generate MD5 collisions, although there is not (yet) a full pre-image attack. Anyone serious about security has switched to SHA256 sums where possible. Which is less than you might hope, for legacy and resource reasons.
It basically answers the same question as authentication - whether the one who says he is the one is actually the one. It helps you to make sure that the program you've downloaded is actually what author is provided in the first place and was not tampered on the way from the vendor all the way through the maze of the internet into your desktop.
In addition to enabling you to be sure you got the code you tried to download (it wasn't corrupted either intentionally or accidentally), if you check the hash, the practice of including hashes when publishing code is good social hygiene. Since people who share or sell software often include hashes with their code, and we believe that some people routinely check them (because some download tools do it automatically) crackers will find this to be a less useful way of spreading malware. Therefore, those who only check the hash on security-critical software, or those who never check can have more confidence that the software is what it purports to be. If crackers tried to start injecting viruses or trojans into often-used download sites, they would be detected pretty quickly, and the attack repaired and publicized.
So, you can help everyone by occasionally checking, and even if you don't, the presence of the hashes should provide some reassurance that the code is probably as the author intended it, and the same code downloaded by many other people.
I check md5 most of the time. Although maybe just once or twice, yes, I did get corrupt downloads.
If you download something, check its md5 and store along with file, it may also be a way later to check if the publisher has secretly changed the file without telling it to anyone.