On 5/4/07, John Fiore <[EMAIL PROTECTED]> wrote:
> Speaking of this, when will the OpenBSD project begin to post SHA256
> hashes
> to the ftp sites. MD5 is dead: these two files are different and yet
> have the same
> MD5 hash.
> http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps
> http://www.cits.rub.de/imperia/md/content/magnus/order.ps
Great. Could you please show me the link to files that have the same length
and MD5 as those in the 4.1 release?
That means nothing. If the OpenBSD project used a CRC16 to verify integrity,
your argument would still hold. What matters is the ease of finding
colliding files.
While finding a file that has the same MD5 as an official file is
hard, it seems
ridiculous, to trust the security of downloaded files using an
algorithm that is
known to be insecure. From a project that has always placed security before
everything, I do not understand the motivation behind not using a secure
algorithm such as SHA-256 or SHA-512.
