Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 13 Nov 2013 07:57:51 -0800
From: Tim <tim-security@...tinelchicken.org>
To: oss-security@...ts.openwall.com
Subject: Re: Microsoft Warns Customers Away From RC4 and
 SHA-1

> I'm inclined to agree. The question I suppose is, like DES (and
> 3DES/MD5) at what point do we start assigning CVE's for some of this?
> thoughts and comments welcome.

Using a weak encyption algorithm alone isn't a sufficient condition to
issue a CVE against software, since often the context of the usage
matters a lot.  If you use MD5 or SHA-1 for password hashing (with
lots of salt and rounds), then there's no vulnerability.  If you use
them for HMACs, then there's also likely no problem.  But if you use
them for a signature with a public key, there is.

So to answer the "at what point" question: *right now*, but *only* in
the proper context.  There needs to be a demonstrable attack in that
context. 

tim

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.