mozdev.org

MDHashTool

resources:
MDHT: link fingerprints information

Link Fingerprints Support in MDHashTool

"Link Fingerprints" is a scheme originally proposed by Gervase Markham for embedding checksum information in links pointing to files intended for distribution. Binding a file's checksum to its URL allows a recipient to easily, and potentially automatically, verify that his downloaded copy of a file matches the original, even if the file is not being hosted on the originator's own site (e.g. files downloaded from mirrors). By comparing the reference checksum value included in the URL to the actual value computed for your copy of the file and verifying that they match, you can be reasonably certain that the file has not been altered.

An example of such a URL is

http://downloads.mozdev.org/mdhashtool/mdhashtool-0.3.xpi#!md5!b3187251c16675ac7d20bb762ad53967

where the "link fingerprint" component,  #!md5!b3187251c16675ac7d20bb762ad53967, consists of the following elements:

#! link fingerprint identifier
md5 checksum algorithm type
! separator character
b3187251c16675ac7d20bb762ad53967 hexadecimal checksum string


By default, MDHashTool (version 0.4+) will indicate links which contain a valid "link fingerprint" by displaying a fingerprint icon

mdhashtool-0.3.xpithis is a checksum-enhanced link

after the link text or image. Menu items for viewing a link's fingerprint information and for copying the embedded checksum to the clipboard will appear in the context menu when right-clicking on such links.

Link Fingerprint context menu items

Downloads which originate from URLs containing valid link fingerprints can be automatically verified using the checksum information embedded in the link. When this feature is enabled (on by default), MDHashTool will compute the checksum for a downloaded file using the algorithm specified in the link fingerprint and compare it to the expected value. If the computed value doesn't match the expected value included in the corresponding URL, an alert dialog will be displayed:

Automated Checksum Verification Failed dialog

Note that this message simply indicates that there is a mismatch between the computed checksum for the file and the expected value embedded in the link. Before you conclude that the file is corrupt or has been tampered with, you may wish to verify that the link fingerprint information supplied by the file originator was generated correctly and is up to date.

When enabled, this Auto Checksum Verification occurs autonomously upon download completion: MDHashTool detects when a file has been downloaded from a source URL that contains a valid link fingerprint, and performs the checksum comparison without further prompting. In other words, you simply save a file in the usual manner(by selecting "Save link as...", or, in some cases, by loading the URL via the address bar), and the checksum verification will be done automatically when applicable. Obviously, this will only be for downloads originating from LF-enhanced links.

To disable the "link fingerprint" icon display or the automated checksum verification feature, modify the appropriate setting via the preferences dialog.

Once you've installed MDHashTool, you can familiarize yourself with its LF-related features by reviewing examples of valid and invalid link fingerprints presented on the demonstration page.

Link Fingerprint Demo



The mdhashtool project can be contacted through the mailing list or the member list.
Copyright © 2000-2017. All rights reserved. Terms of Use & Privacy Policy.