Page 1 of 1

rethinking MD5

Posted: Wed Nov 05, 2014 6:52 am
by Vegan
I use the PHP MD5 to to generate an etag so that some dumb search engine can figure it out whether my page has been edited or not

reading some IT news, said the MD5 was rather weak and was being used to hack Windows update.

So does PHP support SHA or other hashes so I can look at new options?

Re: rethinking MD5

Posted: Wed Nov 05, 2014 7:56 am
by Celauran
Vegan wrote:reading some IT news, said the MD5 was rather weak
Weak how? Weak at what? It's worthless for storing password hashes, for instance, but is still widely used to verify the integrity of downloads, for instance. PHP does indeed support a number of hashing algorithms, but I'm not convinced a change is required.

Re: rethinking MD5

Posted: Wed Nov 05, 2014 9:26 am
by Vegan
I am simply wanting to see if other options are available, when I see security bulletins I like to make sure nothing is left unchecked

Re: rethinking MD5

Posted: Wed Nov 05, 2014 1:32 pm
by requinix
MD5 isn't good for cryptography but you're not using cryptography.

What you're using MD5 for is perfectly fine. The only way it could be abused is if someone uploaded content, to the same URL, that had an identical MD5 hash, and identical after accounting for whatever factors you've configured for your ETag, and putting aside that you would have much larger problems all they would do is affect when the browser requests fresh content.

Re: rethinking MD5

Posted: Wed Nov 05, 2014 5:43 pm
by Vegan
I switched MD5 to SHA1 mainly to modernize the code
are there other choices that are can be substituted

Code: Select all

<?php header("ETag: " . sha1(date("YmdHis", getlastmod()))); ?>

Re: rethinking MD5

Posted: Wed Nov 05, 2014 5:44 pm
by Celauran
Yes, see the list of hashing algorithms I posted above. I still maintain that md5 is perfectly suited for this task as creating digests of data is precisely what it was designed to do.