SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?

[Daniel Kahn Gillmor]

On Fri 2016-03-18 03:21:30 -0400, Werner Koch wrote:
> Most people are actually not able to check even the SHA-1 checksums
> because they are missing a tool to do so (e.g. Windows) and have not the
> knowledge to install or compile and audit a shaXsum tool.

On any modern Windows installation (since Vista at least, i think) there
is "certutil.exe"

  https://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_hashfile

the syntax is:
 
  certutil -hashfile FileToHash.ext sha256

Looks like there's an older version available even for Windows XP (not
that i recommend anyone use that) via something called "Windows Server
2003 Administration Pack":

 https://support.microsoft.com/en-us/kb/934576?spid=12925&sid=1569
 (appears to require javascript, sorry)

> Further, in my experience many users do not check the entire SHA-1 sum
> but just a few of the first and last digits.  With the longer and
> harder to read SHA-256 checksums this will only get worse (“oh yes,
> the checksum is longer and thus safer and thus I need to compare less
> digits” :-().

Right, but surely you wouldn't advocate only displaying the first and
last few digits of the SHA1 digest just because most people aren't going
to look at anytihng else.  Right?

At any rate, checking the first and last X digits of SHA-256 is probably
better than checking the first and last X digits of SHA-1, for any value
of X.  SHA-1 has worse cryptographic properties than SHA-256 (and about
a decade more of intense analysis that reveals flaws).  Likewise, i'm
glad that we at least offer SHA-1, even though it's longer and harder to
read than MD5, which itself is longer and harder to read than CRC32 :P

We cannot force anyone to compare anything, but we can choose whether we
give them the information that is capable of strong comparison. (while
understanding that it's not meaningful in the face of webserver
compromise)

        --dkg