Preston L. Bannister wrote:
How would you reverse a session-id from an MD5 hash? The exploit used to
forge an SSL certificate will not help you. The MD5 exploit is irrelevant to
this particular usage.
Lots of links and discussion:
http://www.schneier.com/blog/archives/2008/12/forging_ssl_cer.htm
eak algorithms*, such as MD5 / SHA1. Favor safer
alternatives, such as SHA-256 or better.
PDF: http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf
Thanks,
Minoo Hamilton
Mark Thomas wrote:
Filip Hanik - Dev Lists wrote:
you don't need to lobby, simply create a patch in Bugzil
ossibly SHA-256). I think the default hashing algorithm should not be
a known broken and insecure one.
MD5 considered harmful today
Creating a rogue CA certificate
http://www.win.tue.nl/hashclash/rogue-ca/
Any thoughts?
Thanks,
Minoo Hamilton
Tim Funk wrote:
It is probably due to old code
the |java.security.MessageDigest| class. If not specified, the default
value is "MD5".
http://en.wikipedia.org/wiki/Md5
http://en.wikipedia.org/wiki/Sha-1
http://java.sun.com/javase/6/docs/api/java/security/SecureRandom.html
Any insights would be appreciated.
Thanks,
