On 070614 at 00:00, Michael Stone wrote: > On Wed, Jun 13, 2007 at 11:14:15PM +0200, Steffen Schulz wrote: > >http://www.cits.rub.de/MD5Collisions/ > >One example how to create two files with same hash that act > >differently. Should work with most active content. > Cool. So the security team can rig an executable that can be modified > and still have the same md5.
Point was: md5 collisions are a real-world problem. > >With the above results, it would be possible to officially distribute > >nice behaving software but present specific targets with modified > >packages that do evil. > Yup. Or the security team could just plant a regular backdoor, [..] The critical bit was included in the sentence you removed: What hashes does apt-secure use? Judging from this documentation, md5 is used for apt-secure, too: http://people.debian.org/~walters/monk.debian.net/apt-secure/x35.html So every maintainer could distribute nice binaries and then inject malicious packets to certain targets. The overall point of writing my comment: Don't check all conditions, protocols, use cases. Just replace md5 some time soon. > If you don't trust the security team, you probably shouldn't install > security updates. Sorry for being unclear, Steffen -- Um sich in einer Schafherde wohlzufühlen, muss man vor allem Schaf sein. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
