back to article The sloth is coming! Quick, get MD5 out of our internet protocols

The outdated and crackable MD5 hash function is still lingering in critical parts of the internet's infrastructure and could undermine security, researchers have warned. In a paper [PDF] published in time for a cryptography conference in Silicon Valley this week, the authors from French research institute INRIA note that while …

  1. ashdav

    Is This News?

    Sorry El Reg.

    I prefer news instead of adverts.......

  2. Tomato42
    Black Helicopters

    since when informing about new exploits in widely used cryptographic protocols is advertising?

    if anything, it more looks like you are paid by some TLA to spread FUD

    1. WatAWorld

      Pretty much they always either mention a company that has an add-on or service to circumvent the flaw or they mention the name of the discoverer. So they're either organizational advertising or seeking notoriety.

      But a bit of that is acceptable when it serves a useful purpose, which I agree this article does.

      (It is those protection racket type disclosures that disclose to criminals very-hard-to-discover (hard to discover because they were previously undiscovered) step by step explicit instructions and tips on how to code the exploit and bypass safeguards that I find morally objectionable. Even personal injury lawyers don't push people under the bus in an attempt to drum up business. But those are much less common than they used to be.)

  3. DropBear

    Perhaps what should have been mentioned is this:

    "That ambitious privacy toolset aside, Chaum is also building into PrivaTegrity another feature that’s sure to be far more controversial: a carefully controlled backdoor that allows anyone doing something “generally recognized as evil” to have their anonymity and privacy stripped altogether."

    1. Anonymous Coward
      Anonymous Coward

      Re: Perhaps what should have been mentioned is this:

      When PrivaTegrity’s setup is complete, nine server administrators in nine different countries would all need to cooperate to trace criminals within the network and decrypt their communications.

      Perhaps he got the idea from the plot of "Spectre".

      1. Destroy All Monsters Silver badge

        Re: Perhaps what should have been mentioned is this:

        8 sockpuppets are easy to engineer

  4. mike acker

    face the real problem

    the big factor in hacking is insecure operating software

    an operating system that allows itself to be compromised by the activity of an application program is not secure and is a serious risk if used in any application where security is required .

    quit treating the symptoms and face the music

    1. h4rm0ny

      Re: face the real problem

      Uh, no. Whilst that's a legitimate area of concern, there are plenty of security issues that take place atop the layer of the OS and don't compromise it, yet are still serious issues. For example in this case it talks about compromising the security between the client browser and server allowing session hijacking. That has little to nothing to do with securing the OS against the application (browser) and certainly isn't a compromising of the OS.

      Application-layer security is just as valid and important as OS security.

  5. Disgruntled of TW
    Boffin

    With a name like PrivaTegrity ...

    ... it will have O(n!) different licensing mechanisms. I mean seriously ... Priva-what? I'm keen to understand how this will be disseminated and whether profit or control will be evident, and exercised by a select few individuals. It has a name that stinks of commercialism.

    Chaum has an impressive cryptography pedigree, with an equally impressive list of patents. Popcorn out, projector on ...

  6. Michael Wojcik Silver badge

    In case anyone's interested

    The most pressing attack, for typical TLS applications, is the client-authentication one. That's only urgent if your TLS stack allows RSA-MD5. Recent releases of the most common implementations don't. OpenSSL, for example, hasn't allowed it since 1.0.1f.

    That doesn't mean this isn't important, or isn't good research - just that it's not quite This Week's Heartbleed.

  7. Cynic_999

    Proof-of-concept is one thing, actually deploying something in the real World that is at all likely to be worth the effort is something else entirely. I'm pretty certain that the security flaw in the MD5 algorithm is very unlikely to affect anyone. (Which is not to say that it should be entirely ignored).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like