steffen <stef...@sdaoden.eu> writes: >That is: whether "vulnerability" thus means to create a fake packet with >identical MD-5 and SHA-1 hashes (it seems TLSv1.1 always uses both >concurrently, at least for RSA) as the cryptographically verifiable one that >ships with the packet. > >It seems to me this is hard stuff, especially for "the occasional attack".
It's not just hard, for TLS it's pretty much impossible. The collision attacks against SHA-1 have been chosen-prefix and very much offline which you can't do with TLS. Even then, it's only the handshake which uses SHA-1, the rest uses HMAC-SHA1 which, even for MD5, is still secure. Finally, TLS < 1.2 uses MD5+SHA1 in combination, which no-one has found an actual attack on yet. So in this case TLS 1.2 is actually weaker than TLS 1.1. There's also the issue I cover in: http://www.cs.auckland.ac.nz/~pgut001/pubs/bollocks.pdf which is really about quantum cryptanalysis but also covers other attack types. Peter.
