Re: MD5 Collisions...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Not sure if you've read http://www.win.tue.nl/hashclash/SoftIntCodeSign/ .
>
> should some kind of advisory be sent to advise people not to rely solely
> on MD5 checksums? Maybe an update to the man page is due ? :
This is very old news. Most tools and systems seem to have switched to
SHA variants: GPG (e.g., as used to sign FreeBSD security advisories) uses
SHA1; ports distinfo files use SHA256; etc. The SHA variants have also
been shown to be weaker than expected, too, but they're stronger than MD5,
and it's not really clear at this point that there's anything better yet.
The cryptographers are working on it: http://www.nist.gov/hash-competition
I'm not sure why this made it to the front page of Slashdot again;
identical attacks were on the front page of Slashdot three years ago (see
the links at the bottom of your own URL...).
Anyone in a position to understand what's going on here already knew. And
anyone who doesn't understand these results is not going to be able to
make any effective use of an advisory, and they're just going to get
scared over nothing. Therefore, I don't think any kind of advisory is
warranted.
-Jason
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQFHU65xswXMWWtptckRAp1qAKC5pGONKG3pdY11yzduGN0MYRlIwACgqKkd
3YhDBot1SAI4ALuOPi12hWQ=
=8gRM
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 3 之 18 篇):