Ian Grigg wrote: > > Not that it is a huge deal, security wise (any hash is better > than no hash, which is where we are now), but you should > consider using SHA-256 for this. > > As of a couple of days ago, SHA-0 was cracked (at least once, > see below), which pretty much means MD5 is deprecated, and > SHA-1 is nervous. > > Anyway, I stress that for normal purposes, MD5 is fine, it's > just that if this feature got added, then it would be smart > to use the better hashes from the start. And yes, it would > be a grand feature to have as then we could do secure > end-to-end downloading without the infrastructure cost > imposed by the public key signing methods.
Cracked or not, MD5 is still quite useful for detecting corruption of a file while downloading it. I'm not talking about intentional hacking of a file. I'm talking about lost packets or inverted bits while the file is transiting the Internet or being written to the user's hard drive or a LAN file server. However, I do agree with comment #14 in bug #101743 that there should be options for different hashes. This would reflect the possibility that different file sources might use different hashes. -- David E. Ross <http://www.rossde.com/> I use Mozilla as my Web browser because I want a browser that complies with Web standards. See <http://www.mozilla.org/>. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
