On Sat, Jan 3, 2009 at 10:49 AM, Steven M. Bellovin <s...@cs.columbia.edu> wrote: > On Sat, 03 Jan 2009 09:35:06 -0500 > William Warren <hescomins...@emmanuelcomputerconsulting.com> wrote: > >> Everyone seems to be stampeding to SHA-1..yet it was broken in 2005. >> So we trade MD5 for SHA-1? This makes no sense. >> > (a) SHA-1 was not broken as badly. The best attack is, as I recall, > 2^63, which is computationally infeasible without special-purpose > hardware. >
special purpose? or lots of commodity? like the Amazon-EC2 example used in the cert issue? (or PS3s or...) > (b) Per a paper Eric Rescorla and I wrote, there's no usable > alternative, since too many protocols (including TLS) don't negotiate > hash functions before presenting certificates. In particular, this > means that a web site can't use SHA-256 because (1) most clients won't > support it; and (2) it can't tell which ones do. (Note that this > argument applies just as much to combinations of hash functions -- > anything that *the large majority of today's* browsers don't implement > isn't usable.) This is a function of an upgrade (firefox3.5 coming 'soon!') for browsers, and for OS's as well, yes? So, given a future flag-day (18 months from today no more MD5, only SHA-232323 will be used!!) browsers for the majority of the market could be upgraded. Certainly there are non-browsers out there (eudora, openssl, wget, curl..bittorrent-clients, embedded things) which either will lag more or break all together. > > These two points lead us to (c): security is a matter of economics, not > algorithms. Switching now to something else loses more in connectivity > or customers than you would lose from such an expensive attack. > only if not staged out with enough time to roll updates in first, right? -Chris
