Md5 is bad for security
Md5 is a broken hash, you should be careful when you use it.
A german hacker conference presentation revealed:
We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.
I have been guilty of the same crime, trusting md5 uniqueness, because sometimes it doesn’t occur to me the security ramifications of hashing.
It’s still non trivial to break a md5 hash, especially given certain contstraints such as breaking the hash with a valid source file. But it gets easier every day as computers get faster.
Some sites that I can think of depend on md5s: del.icio.us uses md5 hashes of links for all link urls, gravatar uses md5 hashes of email addresses to provide user icons.
Disasters waiting to happen? Probably not, but combine another windows image exploit with md5 hash collisions on popular gravatar email addresses or del.icio.us bookmark to paypal re-routed to paypal.core7.lv, there’s probably a lot of potential exploitation out there.
