Re: some feedback about security from the user's point of view
Hi all,
Another indicator that I believe should be taken care into
consideration, is the fact that Microsoft is using SHA256 or better in
all new application for a while now. They do have a post [1] in their
Secure Development Lifecycle blog stating their stance regarding
cryptography and banning certain algorithms and the reasoning behind
some decisions (albeit a watered-down one). Regardless of one's views
for Microsoft (I personally do not use any of their products), I believe
that one should see what others in the are doing
[1]
http://blogs.msdn.com/b/sdl/archive/2009/07/16/banned-crypto-and-the-sdl.aspx
On 01/24/2011 01:18 PM, René Mayrhofer wrote:
> Am Montag, 24. Januar 2011, um 11:29:25 schrieb AK:
>> While the attack sequence presented is valid, in practice, given that
>> there are a lot of "Debian based" distributions out there, wouldn't this
>> be caught somewhere down the line?
> I wouldn't count on it, unfortunately - I have been working on a security/firewall distribution based on Debian (Gibraltar firewall) since ca. 2000, and we just don't have the manpower to audit upstream Debian packages. We certainly didn't catch the openssl bug, and I don't think any of the other Debian-derived distributions did. It would be exceedingly easy to hide a small, known-to-be-colliding binary block in most of the Debian packages and call it with an obscure overflow-like bug in one of the binaries.
>
> Therefore, I strongly suggest to move away from all uses of MD5 and use SHA-2 (>=256) instead (SHA1 already makes the crypto community nervous, and we will need to wait for SHA-3 to arrive at something that will hopefully hold for >10 years...).
>
> best regards,
> Rene
Reply to: