hi, I'd like to register an account to make some feature requests regarding implementing HTTPS for the site, and for getting more hashes to future-proof dumps (SHA-256, SHA-512, SHA3-256, SHA3-512)
2 2024-12-16 14:49:17 (edited by Deterous 2024-12-16 15:33:53)
Hi, welcome to redump. An admin should be able to get you setup soon, we hope you can contribute.
https is a long-requested feature by many that the website owner (single person) has yet to implement. I'm aware that it has deterred many from the site which is unfortunate. The website still functions just fine despite it not having https. Regardless of https or not, you should be using a secure password that is not used elsewhere. Other than the password, there is no other concern of insecure information transferred between redump servers and your computer, so there is no real benefit anyway (beyond stopping your browser's annoying messages about it). All that is to say it's a feature we all want but it shouldn't be something to stop you from using the site. The issues with email are a much bigger problem...
Regarding other hashes, there is very little benefit to using better hashes. The combination of CRC32/MD5/SHA1 and size (in bytes) is enough to uniquely identify a dump across a database with all the discs that have ever been pressed. Larger hashes like SHA-512 take longer to compute and are less compatible with some software, for no benefit. If you'd like to discuss this more you can join the VGPC discord server (or IRC channel if that's your thing instead)
Welcome, obtain your password here.
(check the spam folder in case there will be no message in your inbox)
Please make sure you read and understand the dumping process and the way you have to submit the dumping logs before posting your dump info.
Getting Started Guide
Feel free to ask question on the forum, or via Discord about how to get started preserving games with Redump:
Discord
Hotmail, Outlook, Gmail and Web.de may block mails from our site.
If you have any problems and need to change your email please let us know.
I was able to create a password, but on the forum login page the maximum length of the username accepted is only 25 characters (I assume username means email address in this case) and my email is address is longer. I edited the HTML to remove the limit, but the page now says "Incorrect username and/or password." My password is 35 characters long and includes special characters like "#`^~" maybe that's the problem?
**********
@Deterous, thanks for the quick reply, regarding HTTPS, besides the password sniffing, there are other considerations:
1. someone could edit the pages viewed to inject malicious javascript that can exploit a browser vulnerability
2. a less likely attack, but someone could edit a page and change the hashes displayed to the user, for example to get them to run a fake PC game ISO that is actually a virus, while making the user believe the disc is a legitimate copy
as for the hashes, what you say is correct and will probably be correct for some more years, maybe even decades, but eventually someone will be able to crack all 3 hashes and make a fake file with the same file size as well. since this database is meant to preserve games for the future, hashing with secure hashes now is a way to future-proof the database. there is also the issue that most emulators just rely on only one of the hashes, not all 3 + filesize when verifying a game, and if SHA-256 were used that would be ok. regarding your points about the time/compatibility:
1. calculating all those hashes would maybe only take 4 to 7 times longer than just the current hashes (maybe only twice as long for just adding SHA-256), which is done only once per dump, and the benefit is it secures the database. no one is required to calculate them if they don't want to (the website could show the little blue/green dots next to the additional hashes that have been added once/verified multiple times), but of course if you state that you are welcoming these new hashes, people would surely provide them. newer CPUs have hardware acceleration for all these newer hashes
2. the software that uses the hashes doesn't have to use hashes it isn't programmed to use (some emulators use only one of the hashes)
3. there could be 2 releases of the datfiles, one with all hashes up to SHA-256 that most people playing games can use, and one with all the future-proof hashes for people backing up the database/preserving games
what do you think? I prefer to post in the forum instead of discord/IRC
I was able to create a password, but on the forum login page the maximum length of the username accepted is only 25 characters (I assume username means email address in this case) and my email is address is longer. I edited the HTML to remove the limit, but the page now says "Incorrect username and/or password." My password is 35 characters long and includes special characters like "#`^~" maybe that's the problem?
sorry, I had completely forgotten that the username is actually a username and not the email, that was the issue
6 2024-12-16 17:29:15 (edited by Deterous 2024-12-16 17:31:36)
Https point 1: Yes, I understand that it can happen, I'm not suggesting that sticking to http-only is good, just that it's okay to use the site. You can use the site under sandbox if you are that paranoid, but the risk of that is way lower than many other threat vectors.
Https point 2: I understand you said it was unlikely but that scenario is hilarious. No-one is going through the effort to hijack http just for that
Even if you were to construct a file with identical size and three hashes (not feasible), you would also have to make the structure of the dump contents look correct. Besides, we want checksums, not secure cryptographic hashes. The hashes are to protect against read errors during a dump, not against someone constructing a file to match the hashes. Redump does not share ISOs.
All of this is besides the central point that we cannot change the redump.org website functionality at the moment because the website owner is AWOL
Even if you were to construct a file with identical size and three hashes (not feasible), you would also have to make the structure of the dump contents look correct. Besides, we want checksums, not secure cryptographic hashes. The hashes are to protect against read errors during a dump, not against someone constructing a file to match the hashes. Redump does not share ISOs.
Realistically, the dump contents wouldn't need to be 100% correct. You can see this in attacks on formats like PDF. And many users will be using redump to check against files from the internet (copyright infringing or not).
8 2024-12-17 15:09:44 (edited by Deterous 2024-12-17 15:10:10)
Realistically, the dump contents wouldn't need to be 100% correct
The guest forum is not the place to discuss this, but I really don't want misinformation out there so I want to clear this up. Any talk of a potential file being generated that matches all 3 hashes and a file size is just academic. The three hashes are sufficient for long term preservation. MD5 and SHA1 are not "broken" for pre-image attacks. It is unequivocally infeasible to generate a file that matches a redump dat. Adding new hashes is a waste of time.