hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lovette, Steve" <steve.love...@lmco.com>
Subject RE: use of MD5 and security violations
Date Fri, 24 Oct 2008 12:15:29 GMT
 From what I have read the use of algorithms that have been shown to be
breakable become unacceptable. There is literature on the web about
this. From reading the government NIST web site and the government STIGs
that recommend only the SHA-x algorithms to be used in sensitive
applications. MD5 is not a government approved algorithm to be used in
hashing functions where encryption is involved.

That said your point about HTTP client may well be the best counter
point. Since HTTP client runs on the client and the client is always
suspect then perhaps this is a sufficient argument.

I posted the question because of the ambiguity I am finding. In the
national vulnerability databases I see no listing asserting HTTP clients
use of MD5 as bad. I see many complaints about MD5 but the ones I have
read are more programmatic errors surrounding the algorithm and not
complaints about the algorithm itself.

I believe this is a relatively recent (last several years) complaint.
The standards you reference are far older from what I have read. I was
hoping to engage Apache security on this. 



-----Original Message-----
From: sebb [mailto:sebbaz@gmail.com] 
Sent: Thursday, October 23, 2008 8:37 PM
To: HttpComponents Project
Subject: Re: use of MD5 and security violations

On 24/10/2008, Lovette, Steve <steve.lovette@lmco.com> wrote:
> HC development community
>   As I understand it NIST FIPS 180-2 does not support the use of the
>  algorithm for digest functions. In researching government security
>  this appears to be a security violation (i.e. vulnerability).
However, I
>  see that it is still in use with the HC 3.1. So I am surprised and
>  suspecting that I am missing something. I don't see this issue
>  on the Apache HC Web site or the code fixed.

In what respect does the use of MD5 make HC vulnerable?

>  Any insight would greatly appreciated.

I think you may have misunderstood the function of HttpClient.
HC is a client library for communicating with web-servers, and as such
follows the relevant HTTP RFCs.

What motivates your question?

>  Thank you, Steve

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message