oss-sec mailing list archives
Re: Microsoft Warns Customers Away From RC4 and SHA-1
From: Tim <tim-security () sentinelchicken org>
Date: Wed, 13 Nov 2013 07:57:51 -0800
I'm inclined to agree. The question I suppose is, like DES (and 3DES/MD5) at what point do we start assigning CVE's for some of this? thoughts and comments welcome.
Using a weak encyption algorithm alone isn't a sufficient condition to issue a CVE against software, since often the context of the usage matters a lot. If you use MD5 or SHA-1 for password hashing (with lots of salt and rounds), then there's no vulnerability. If you use them for HMACs, then there's also likely no problem. But if you use them for a signature with a public key, there is. So to answer the "at what point" question: *right now*, but *only* in the proper context. There needs to be a demonstrable attack in that context. tim
Current thread:
- Microsoft Warns Customers Away From RC4 and SHA-1 Kurt Seifried (Nov 12)
- Re: Microsoft Warns Customers Away From RC4 and SHA-1 Tim (Nov 13)
- Re: Microsoft Warns Customers Away From RC4 and SHA-1 Eric H. Christensen (Nov 13)
- cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Daniel Kahn Gillmor (Nov 13)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Tim (Nov 14)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Kurt Seifried (Nov 14)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Chris Palmer (Nov 14)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Kurt Seifried (Nov 14)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Chris Palmer (Nov 15)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Kurt Seifried (Nov 15)
- Re: cryptographic primitive choices [was: Re: Microsoft Warns Customers Away From RC4 and SHA-1] Marcus Meissner (Nov 15)
- Re: Microsoft Warns Customers Away From RC4 and SHA-1 Tim (Nov 13)