Sebbaz From what I have read the use of algorithms that have been shown to be breakable become unacceptable. There is literature on the web about this. From reading the government NIST web site and the government STIGs that recommend only the SHA-x algorithms to be used in sensitive applications. MD5 is not a government approved algorithm to be used in hashing functions where encryption is involved.
That said your point about HTTP client may well be the best counter point. Since HTTP client runs on the client and the client is always suspect then perhaps this is a sufficient argument. I posted the question because of the ambiguity I am finding. In the national vulnerability databases I see no listing asserting HTTP clients use of MD5 as bad. I see many complaints about MD5 but the ones I have read are more programmatic errors surrounding the algorithm and not complaints about the algorithm itself. I believe this is a relatively recent (last several years) complaint. The standards you reference are far older from what I have read. I was hoping to engage Apache security on this. Steve -----Original Message----- From: sebb [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 8:37 PM To: HttpComponents Project Subject: Re: use of MD5 and security violations On 24/10/2008, Lovette, Steve <[EMAIL PROTECTED]> wrote: > HC development community > > As I understand it NIST FIPS 180-2 does not support the use of the MD5 > algorithm for digest functions. In researching government security STIGS > this appears to be a security violation (i.e. vulnerability). However, I > see that it is still in use with the HC 3.1. So I am surprised and > suspecting that I am missing something. I don't see this issue addressed > on the Apache HC Web site or the code fixed. > In what respect does the use of MD5 make HC vulnerable? > > Any insight would greatly appreciated. I think you may have misunderstood the function of HttpClient. HC is a client library for communicating with web-servers, and as such follows the relevant HTTP RFCs. What motivates your question? > > Thank you, Steve --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
