Cocoa mail archive
Re: [NSPipe pipe] returning nil (running out of filehandles?)
FROM : John Stiles
DATE : Wed Apr 02 18:52:16 2008
Alastair Houghton wrote:
> On 2 Apr 2008, at 17:19, John Stiles wrote:
>
>> I take it all back; in 2007 there was an MD5 attack discovered which
>> actually allows for completely different binaries that sign the same.
>> Check Wikipedia for the details, but basically MD5 is totally broken
>> now. Wow, times change!!
>
> Actually I don't think you should take it back; it looks to me like
> the problem that has been solved (that of finding two files with the
> same prefix that have the same MD5 sum) is not a useful exploit in
> most cases.
>
> In order for it to be a real vulnerability, you would need an
> algorithm that, as you say, allows someone to take an arbitrary file
> and add some bytes that are determined by the algorithm in order to
> match a given hash. I don't believe, from what I've read, that that
> particular problem has been solved.
>
> The vulnerability that we have currently would only allow the original
> creator of a file to generate another file with the same checksum, and
> only under certain preconditions, so I contend that, as you originally
> stated, MD5 is not fully broken (and not even usefully broken in many
> respects).
Well, you're right, but I still wouldn't want to use it for anything
where security was a real concern; I'd be worried that the next attack
wouldn't be so forgiving.
DATE : Wed Apr 02 18:52:16 2008
Alastair Houghton wrote:
> On 2 Apr 2008, at 17:19, John Stiles wrote:
>
>> I take it all back; in 2007 there was an MD5 attack discovered which
>> actually allows for completely different binaries that sign the same.
>> Check Wikipedia for the details, but basically MD5 is totally broken
>> now. Wow, times change!!
>
> Actually I don't think you should take it back; it looks to me like
> the problem that has been solved (that of finding two files with the
> same prefix that have the same MD5 sum) is not a useful exploit in
> most cases.
>
> In order for it to be a real vulnerability, you would need an
> algorithm that, as you say, allows someone to take an arbitrary file
> and add some bytes that are determined by the algorithm in order to
> match a given hash. I don't believe, from what I've read, that that
> particular problem has been solved.
>
> The vulnerability that we have currently would only allow the original
> creator of a file to generate another file with the same checksum, and
> only under certain preconditions, so I contend that, as you originally
> stated, MD5 is not fully broken (and not even usefully broken in many
> respects).
Well, you're right, but I still wouldn't want to use it for anything
where security was a real concern; I'd be worried that the next attack
wouldn't be so forgiving.
