Watch Out about SSL and Also md5(). Use sha1() Instead
Posted: Tue Dec 30, 2008 11:56 pm
Read this...
http://hackaday.com/2008/12/30/25c3-hac ... -200-ps3s/
So basically, some guys in China have figured out how to make two separate files have the same md5 hash. Okay, that blows usage of md5() in PHP. Next, some other guys recently used that technique on a larger scale and were able to mimic Verisign certs for websites without having to pay Verisign. (Gosh, almost makes you want to go off and make one for all your sites, doesn't it?) Yeah, and that's a problem because now a guy with some advanced equipment in a van outside a wireless cafe can spoof PayPal or a bank site, even making it have an authentic Verisign cert that isn't authentic.
So, the advice is to use sha1() instead of md5() in PHP, but then we're likely to see improvements on SSL come forward out of this. I just hope it won't slow down the Internet, and that no one gets hacked while the Internet committees are working on the security improvements.
Oh, and as a side note, the RIAA is using the md5() algorithm in their court cases against illegal file sharers. They are impounding the evidence, performing an md5() hash check on all system files, and if they find a match and see that this was evidently shared from the same IP and that the person had a file sharing program on their PC, they are claiming the user broke the law. Well, now one can use this info I have here about md5() to show that finding an md5() file match is not proof alone that the file on the hard drive was not the one shared by that IP at that prior time.
http://hackaday.com/2008/12/30/25c3-hac ... -200-ps3s/
So basically, some guys in China have figured out how to make two separate files have the same md5 hash. Okay, that blows usage of md5() in PHP. Next, some other guys recently used that technique on a larger scale and were able to mimic Verisign certs for websites without having to pay Verisign. (Gosh, almost makes you want to go off and make one for all your sites, doesn't it?) Yeah, and that's a problem because now a guy with some advanced equipment in a van outside a wireless cafe can spoof PayPal or a bank site, even making it have an authentic Verisign cert that isn't authentic.
So, the advice is to use sha1() instead of md5() in PHP, but then we're likely to see improvements on SSL come forward out of this. I just hope it won't slow down the Internet, and that no one gets hacked while the Internet committees are working on the security improvements.
Oh, and as a side note, the RIAA is using the md5() algorithm in their court cases against illegal file sharers. They are impounding the evidence, performing an md5() hash check on all system files, and if they find a match and see that this was evidently shared from the same IP and that the person had a file sharing program on their PC, they are claiming the user broke the law. Well, now one can use this info I have here about md5() to show that finding an md5() file match is not proof alone that the file on the hard drive was not the one shared by that IP at that prior time.