Nicolas, We could phase in the use of a salted SHA-256 hash scheme.
The client/server software would just have to assume MD5 in cases where it wasn't explicitly tagged as SHA-256. Over-time projects would upgrade and the clients would gracefully upgrade along with it. ----- Rom -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Nicolás Alvarez Sent: Sunday, January 27, 2013 6:34 PM To: [email protected] Cc: Boinc_Dev@Ssl. Berkeley. Edu Subject: Re: [boinc_dev] Disable use of MD5? 2013/1/27, Jeffrey Walton <[email protected]>: > Hi All, > > Is it possible to disable use of MD5? (I checked configure, and there > does not appear to be a switch). > > MD5 is completely broken, and has no cryptographic value. Yet it > appears to be used in cryptographic routines. That can't possibly be done. The client sends MD5 password hashes to the server, for example. If you disable MD5 when compiling the client, what do you expect it to do? Send passwords in plaintext? Disable the "attach to project" feature? Use a different hash algorithm, which no BOINC server would accept? -- Nicolás _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address. _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
