SitePoint Sponsor

User Tag List

Page 3 of 3 FirstFirst 123
Results 51 to 52 of 52
  1. #51
    SitePoint Addict
    Join Date
    Apr 2009
    Posts
    248
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by hash View Post
    That's not a problem with the post, it's the whole point. The message is not known, so it doesn't matter how easy it is to generate a collision for a known message.

    Neither the token or the password are vulnerable to collision attacks. Collision attacks are where one (malicious) message is able to pass itself off as another (trusted) message via an identical hash. In this case the attacker does not know the message or it's hash.
    Which still doesn't answer the question of why you would choose to use MD5. What is the purpose of making a choice like that?

  2. #52
    SitePoint Wizard
    Join Date
    Nov 2005
    Posts
    1,191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I wasn't trying to answer that question, just clear up why md5 isn't broken if you just want a quick token or two.
    Out of interest:
    Code:
    grep -r "md5(" ./symfony
    Found 71 lines including this
    Code:
    ./lib/vendor/symfony/lib/form/sfForm.class.php:        self::$CSRFSecret = md5(__FILE__.php_uname());
    ./lib/vendor/symfony/lib/form/sfForm.class.php:    return md5($secret.session_id().get_class($this));


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •