Vulnerability Development mailing list archives
Re: Hashes,File protection,etc
From: Valdis.Kletnieks () vt edu
Date: Tue, 15 Oct 2002 11:46:08 -0400
On Mon, 14 Oct 2002 17:04:37 EDT, Tony said:
Does anyone have a reference/link to any well known md5 vulnerabilities. I remeber reading something about them awhile back but couldn't google up anything. Also , are there any arguements *against* using md5? Should persons be using sha1 instead ?
As far as I know, nobody has managed to produce an actual MD5 hash collision. Unless there's a *really major* break, which would be Big News, the resources needed to exploit md5 itself are *waaay* past any that any attacker might have access to. The *BIG* vulnerability is the same as it's always been - if the attacker can replace the foobar.tar.gz file with a trojaned copy, they can replace the plaintext file that has the checksums in it too. A bigger worry is that people won't even bother checking - a little birdie told me that the recent Sendmail trojan was out there for a week mostly because *nobody bothered checking the md5sum*. Bottom line - given current state-of-the-art, even *IF* there exists somebody who can actually exploit MD5 itself, it would be much easier for them to arrange things so you were comparing the trojaned file against a trojaned checksum.... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
_bin
Description:
Current thread:
- Re: /instmsg/alias/annoying_web_logs ;), (continued)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 16)
- Re: /instmsg/alias/annoying_web_logs ;) Chip McClure (Oct 15)
- RE: /instmsg/alias/annoying_web_logs ;) Shawn K. Hall (RA/Security) (Oct 20)
- Re: Hashes,File protection,etc Tony (Oct 15)
- Re: Hashes,File protection,etc Roland Postle (Oct 15)
- Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 15)
- Re: Hashes,File protection,etc Roland Postle (Oct 16)
- Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 16)
- Re: Hashes,File protection,etc Bob Mathews (Oct 16)
- Re: Hashes,File protection,etc Jose Nazario (Oct 15)
- Re: Hashes,File protection,etc Valdis . Kletnieks (Oct 15)
- RE: Hashes,File protection,etc Rich Cower (Oct 15)
- Re: Hashes,File protection,etc Eric Fritzges (Oct 15)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
- RE: CROSS SITE-SCRIPTING Protection with PHP Chris Field (Oct 12)
- Re: CROSS SITE-SCRIPTING Protection with PHP RoMaNSoFt (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rohan Amin (Oct 12)
- Re: CROSS SITE-SCRIPTING Protection with PHP Astalavista.NET Baby! (Oct 14)