At Sat, 02 May 2009 21:53:40 +1200, Peter Gutmann wrote: > > "Perry E. Metzger" <pe...@piermont.com> writes: > >Greg Rose <g...@qualcomm.com> writes: > >> It already wasn't theoretical... if you know what I mean. The writing > >> has been on the wall since Wang's attacks four years ago. > > > >Sure, but this should light a fire under people for things like TLS 1.2. > > Why? > > Seriously, what threat does this pose to TLS 1.1 (which uses HMAC-SHA1 and > SHA-1/MD5 dual hashes)? Do you think the phishers will even notice this as > they sort their multi-gigabyte databases of stolen credentials?
Again, I don't want to get into a long argument with peter about TLS 1.1 vs. TLS 1.2, but TLS 1.2 also defines an extension that lets the client tell the server that it would take a SHA-256 certificate. Absent that, it's not clear how the server would know. Of course, you could use that extension with 1.1 and maybe that's what the market will decide... -Ekr --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com