checksums WinSCP-5.19.2-Setup.exe do not match download
1 bug; 2 enhancement requests
Bug
The download page lists:
The downloaded file has:
Enhancement req. 1:
Please supply GnuPG signatures for executables. Even though the downloaded executable is signed, a man-in-the-middle attack could replace it. The ability to verify using a long lasting GnuPG key solves that problem.
Enhancement req. 2:
Also, you'd do good by removing reCaptcha to register or post. reCaptacha is Google, it's flawed and it only serves Google (get millions of people to work for free for Google by solving one puzzle for their AI project after another, to no end) and it's definitely not private and thus not secure. Please use a local server hosted verification method.
Bug
The download page lists:
MD5: bc283773ee1947bd5b27a0e0a3de8525 SHA-1: 180b7d545db9d27334eafb77c99d308dda898a67 SHA-256: 402ef66d76d00bc08fbc1d92d2cfeb923e3b36452dd7958abfc6d7cd207395c5
The downloaded file has:
MD5: bacd0340266894cfcbc1b5dfe2a75a3e SHA1: 4af648aa8de84d7405a83328dd19ea93019489c8 SHA256: 4a2ed177b820db55723433cc2770d554e20d7ecaae11bbf24cde496519874894
Enhancement req. 1:
Please supply GnuPG signatures for executables. Even though the downloaded executable is signed, a man-in-the-middle attack could replace it. The ability to verify using a long lasting GnuPG key solves that problem.
Enhancement req. 2:
Also, you'd do good by removing reCaptcha to register or post. reCaptacha is Google, it's flawed and it only serves Google (get millions of people to work for free for Google by solving one puzzle for their AI project after another, to no end) and it's definitely not private and thus not secure. Please use a local server hosted verification method.
