Date: Sun, 2 Dec 2007 23:21:21 -0800 (PST) From: jason <freebsd-security@dfmm.org> To: Norberto Meijome <freebsd@meijome.net> Cc: freebsd-security@freebsd.org Subject: Re: MD5 Collisions... Message-ID: <20071202230434.O27936@treehorn.dfmm.org> In-Reply-To: <20071203154412.461d0faf@meijome.net> References: <20071203154412.461d0faf@meijome.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Not sure if you've read http://www.win.tue.nl/hashclash/SoftIntCodeSign/ . > > should some kind of advisory be sent to advise people not to rely solely > on MD5 checksums? Maybe an update to the man page is due ? : This is very old news. Most tools and systems seem to have switched to SHA variants: GPG (e.g., as used to sign FreeBSD security advisories) uses SHA1; ports distinfo files use SHA256; etc. The SHA variants have also been shown to be weaker than expected, too, but they're stronger than MD5, and it's not really clear at this point that there's anything better yet. The cryptographers are working on it: http://www.nist.gov/hash-competition I'm not sure why this made it to the front page of Slashdot again; identical attacks were on the front page of Slashdot three years ago (see the links at the bottom of your own URL...). Anyone in a position to understand what's going on here already knew. And anyone who doesn't understand these results is not going to be able to make any effective use of an advisory, and they're just going to get scared over nothing. Therefore, I don't think any kind of advisory is warranted. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFHU65xswXMWWtptckRAp1qAKC5pGONKG3pdY11yzduGN0MYRlIwACgqKkd 3YhDBot1SAI4ALuOPi12hWQ= =8gRM -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071202230434.O27936>