Is This News?
Sorry El Reg.
I prefer news instead of adverts.......
The outdated and crackable MD5 hash function is still lingering in critical parts of the internet's infrastructure and could undermine security, researchers have warned. In a paper [PDF] published in time for a cryptography conference in Silicon Valley this week, the authors from French research institute INRIA note that while …
Pretty much they always either mention a company that has an add-on or service to circumvent the flaw or they mention the name of the discoverer. So they're either organizational advertising or seeking notoriety.
But a bit of that is acceptable when it serves a useful purpose, which I agree this article does.
(It is those protection racket type disclosures that disclose to criminals very-hard-to-discover (hard to discover because they were previously undiscovered) step by step explicit instructions and tips on how to code the exploit and bypass safeguards that I find morally objectionable. Even personal injury lawyers don't push people under the bus in an attempt to drum up business. But those are much less common than they used to be.)
"That ambitious privacy toolset aside, Chaum is also building into PrivaTegrity another feature that’s sure to be far more controversial: a carefully controlled backdoor that allows anyone doing something “generally recognized as evil” to have their anonymity and privacy stripped altogether."
When PrivaTegrity’s setup is complete, nine server administrators in nine different countries would all need to cooperate to trace criminals within the network and decrypt their communications.
Perhaps he got the idea from the plot of "Spectre".
the big factor in hacking is insecure operating software
an operating system that allows itself to be compromised by the activity of an application program is not secure and is a serious risk if used in any application where security is required .
quit treating the symptoms and face the music
Uh, no. Whilst that's a legitimate area of concern, there are plenty of security issues that take place atop the layer of the OS and don't compromise it, yet are still serious issues. For example in this case it talks about compromising the security between the client browser and server allowing session hijacking. That has little to nothing to do with securing the OS against the application (browser) and certainly isn't a compromising of the OS.
Application-layer security is just as valid and important as OS security.
... it will have O(n!) different licensing mechanisms. I mean seriously ... Priva-what? I'm keen to understand how this will be disseminated and whether profit or control will be evident, and exercised by a select few individuals. It has a name that stinks of commercialism.
Chaum has an impressive cryptography pedigree, with an equally impressive list of patents. Popcorn out, projector on ...
The most pressing attack, for typical TLS applications, is the client-authentication one. That's only urgent if your TLS stack allows RSA-MD5. Recent releases of the most common implementations don't. OpenSSL, for example, hasn't allowed it since 1.0.1f.
That doesn't mean this isn't important, or isn't good research - just that it's not quite This Week's Heartbleed.
Proof-of-concept is one thing, actually deploying something in the real World that is at all likely to be worth the effort is something else entirely. I'm pretty certain that the security flaw in the MD5 algorithm is very unlikely to affect anyone. (Which is not to say that it should be entirely ignored).
Biting the hand that feeds IT © 1998–2019