Marc-Andre Lemburg <m...@egenix.com> added the comment: On 2009-01-06 22:42, Lukas Lueg wrote: > Lukas Lueg <knabberknusperh...@yahoo.de> added the comment: > > As I already said to Raymond: At least we should update the > documentation. The "FAQ" currently linked is from 2005. > > The CERT-Advisory from provides a clean and simple language: "In 2008, > researchers demonstrated the practical vulnerability [...] We are > currently unaware of a practical solution to this problem. *Do not use > the MD5 algorithm*."
That's a correct statement for cryptographic work based on MD5. However, it's not true with respect to using MD5 as fast general purpose hash algorithm in non-crypto applications, so I think the warning on http://docs.python.org/library/hashlib.html is sufficient. Note that the various SHA implementations are also starting to get some heat lately, so it's only a question of time until these get excluded from the set of cryptographic hash functions: http://en.wikipedia.org/wiki/SHA1 http://en.wikipedia.org/wiki/Cryptographic_hash_function also see: http://en.wikipedia.org/wiki/Hash_function """ Hash functions are related to (and often confused with) checksums, check digits, fingerprints, randomizing functions, error correcting codes, and cryptographic hash functions. Although these concepts overlap to some extent, each has its own uses and requirements. """ It might be a good idea to remove the word "secure" from the hashlib documentation, since security of these algorithms is always limited to a certain period of time. _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue4858> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
