Would using the combination of both MD5 and SHA-1 raise the computational bar enough for now, or are there other good prospects for a harder to crack hash?
On Sat, Jan 3, 2009 at 9:35 AM, William Warren < hescomins...@emmanuelcomputerconsulting.com> wrote: > Dragos Ruiu wrote: > >> >> On 2-Jan-09, at 9:56 AM, Robert Mathews (OSIA) wrote: >> >> Joe Greco wrote: >>> >>>> [ .... ] >>>> >>>> Either we take the potential for transparent MitM attacks seriously, or >>>> we do not. I'm sure the NSA would prefer "not." :-) >>>> >>>> As for the points raised in your message, yes, there are additional >>>> problems with clients that have not taken this seriously. It is, >>>> however, >>>> one thing to have locks on your door that you do not lock, and another >>>> thing entirely not to have locks (and therefore completely lack the >>>> ability to lock). I hope that there is some serious thought going on in >>>> the browser groups about this sort of issue. >>>> >>>> [ ... ] >>>> >>>> ... JG >>>> >>> >>> F Y I, see: >>> >>> SSL Blacklist 4.0 - for a Firefox extension able to detect 'bad' >>> certificates @ >>> http://www.codefromthe70s.org/sslblacklist.aspx >>> >>> Best. >>> >> >> Snort rule to detect said... >> >> url: http://vrt-sourcefire.blogspot.com/2009/01/md5-actually-harmful.html >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Weak SSL >> OSCP response -- MD5 usage"; content:"content-type: >> application/ocsp-response"; content:"2A 86 48 86 F7 0D 01 01 05"; metadata: >> policy security-ips drop, service http; reference: url, >> www.win.tue.nl/hashclash/rogue-ca/; classtype: policy-violation; >> sid:1000001;) >> >> cheers, >> --dr >> >> -- >> World Security Pros. Cutting Edge Training, Tools, and Techniques >> Vancouver, Canada March 16-20 2009 http://cansecwest.com >> London, U.K. May 27/28 2009 http://eusecwest.com >> pgpkey http://dragos.com/ kyxpgp >> >> >> >> Everyone seems to be stampeding to SHA-1..yet it was broken in 2005. So > we trade MD5 for SHA-1? This makes no sense. > >
