Date: Wed, 13 Nov 2013 07:57:51 -0800 From: Tim <tim-security@...tinelchicken.org> To: oss-security@...ts.openwall.com Subject: Re: Microsoft Warns Customers Away From RC4 and SHA-1 > I'm inclined to agree. The question I suppose is, like DES (and > 3DES/MD5) at what point do we start assigning CVE's for some of this? > thoughts and comments welcome. Using a weak encyption algorithm alone isn't a sufficient condition to issue a CVE against software, since often the context of the usage matters a lot. If you use MD5 or SHA-1 for password hashing (with lots of salt and rounds), then there's no vulnerability. If you use them for HMACs, then there's also likely no problem. But if you use them for a signature with a public key, there is. So to answer the "at what point" question: *right now*, but *only* in the proper context. There needs to be a demonstrable attack in that context. tim
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.