On 24/10/2008, Lovette, Steve <[EMAIL PROTECTED]> wrote: > Sebbaz > From what I have read the use of algorithms that have been shown to be > breakable become unacceptable. There is literature on the web about > this. From reading the government NIST web site and the government STIGs > that recommend only the SHA-x algorithms to be used in sensitive > applications. MD5 is not a government approved algorithm to be used in > hashing functions where encryption is involved.
OK, but so what? > That said your point about HTTP client may well be the best counter > point. Since HTTP client runs on the client and the client is always > suspect then perhaps this is a sufficient argument. I think you still misunderstand what HC is for. It is irrelevant where HC runs; the point is that it is a client library, i.e. it talks to servers. If the server needs MD5 for something, then HC will use that. HC does not use MD5 for its own purposes. > I posted the question because of the ambiguity I am finding. In the > national vulnerability databases I see no listing asserting HTTP clients > use of MD5 as bad. I see many complaints about MD5 but the ones I have > read are more programmatic errors surrounding the algorithm and not > complaints about the algorithm itself. > > I believe this is a relatively recent (last several years) complaint. > The standards you reference are far older from what I have read. I was > hoping to engage Apache security on this. I think you'll find that Apache security are well aware of the problems related to MD5. > Steve > > > > > > > -----Original Message----- > From: sebb [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 23, 2008 8:37 PM > To: HttpComponents Project > Subject: Re: use of MD5 and security violations > > On 24/10/2008, Lovette, Steve <[EMAIL PROTECTED]> wrote: > > HC development community > > > > As I understand it NIST FIPS 180-2 does not support the use of the > MD5 > > algorithm for digest functions. In researching government security > STIGS > > this appears to be a security violation (i.e. vulnerability). > However, I > > see that it is still in use with the HC 3.1. So I am surprised and > > suspecting that I am missing something. I don't see this issue > addressed > > on the Apache HC Web site or the code fixed. > > > > In what respect does the use of MD5 make HC vulnerable? > > > > > Any insight would greatly appreciated. > > I think you may have misunderstood the function of HttpClient. > HC is a client library for communicating with web-servers, and as such > follows the relevant HTTP RFCs. > > What motivates your question? > > > > > Thank you, Steve > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
