Preston L. Bannister wrote:
How would you reverse a session-id from an MD5 hash? The exploit used to
forge an SSL certificate will not help you. The MD5 exploit is irrelevant to
this particular usage.
Lots of links and discussion:
http://www.schneier.com/blog/archives/2008/12/forging_ssl_cer.html
I'm fully aware that this is different, Preston. And I am certain that
there are many things I don't understand about security. All I meant to
point out by the reference was that the idea that MD5 collisions are
theoretical, based on the notion of computational expense, should now be
shattered.
If you are connecting to *any web application* on a high-value target over
an insecure network using HTTP (not HTTPS) then you already have a *Very
Large Problem* (think about man-in-the-middle attacks). Changing the hash
applied to session ids is not going to help.
Yes, but what I'm suggesting relates to brute forcing and session
hijacking scenarios. I totally agree that SSL definitely makes it all
much harder to pull off. Nonetheless, many sites have vulnerabilities
in how they handle these things (e.g. the recent Yahoo Mail problem), so
taking SSL for granted can be a problem, as well.
Minoo, as a "security researcher" you should already be clear on the
relative importance of differing risks, and cost/value ratios of exploits.
Use of the MD5 hash as described is entirely harmless.
Thanks for the air quotes, Preston. The problem with your line of logic
is that it ignores asymmetries -- the thing you don't thing is a problem
that can sometimes be your biggest problem. I tend to treat things
equally till I'm certain, because risk does not follow a normal
distribution model, when it comes to vulnerabilities.
Anyhow, I have come to the Tomcat developer community to both be
supportive and to ask for help in determining if this is or is not a
real risk. Clearly you think it is not. I appreciate your feedback.
Minoo
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
