No checksum information published for ChromeDriver binaries

[ajorpheus]

Hello,

None of the API endpoints publish any checksum information for the Chromedriver binaries.

This being the case, what is the recommended way of checking the authenticity of the binaries ?

Thank you!

[thiagowfx]

Filed an internal FR: https://bugs.chromium.org/p/chromium/issues/detail?id=1501279

[mathiasbynens]

I don’t see checksums adding any value. What’s the attack scenario they protect against?

• If an attacker manages to break into the server and replace the binaries with malicious ones, they could replace the checksum files as well.
• If an attacker manages to somehow break HTTPS, they could intercept and alter both the requests for the binaries and the checksums.

[ajorpheus]

I see your point @mathiasbynens , however it does help me to answer the question:

' How do you know that the binaries are the same as the ones downloaded from the source? ' or to rephrase it 'How can I (some IT manager) be sure that YOU (=the person deploying the binaries) did not modify the files before deploying them? '

The scenario is as follows:
I need to deploy chromedriver binaries on a production server, but I have no way of proving that the file that I downloaded on the production server is the same as the one from the source.
If there is a published checksum, I can prove this by demonstating a comparison of the checksum of the binaries on the box vs those published.
Without the checksum there is no way for me to prove this.

[AZphanus]

Also I would like to add my support for this. If something was corrupted in transit; having a Checksum available that we can check against allows us (our script) to verify that what was downloaded is exactly what was uploaded to the server. Now if someone got onto the server and manipulated the file and hash then that is a whole other problem.