httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <>
Subject Re: SHA-256
Date Sat, 25 Feb 2017 04:45:46 GMT
On Fri, Feb 24, 2017 at 2:30 PM, Helmut K. C. Tessarek
<> wrote:
> On 2017-02-24 12:52, Jim Jagielski wrote:
>> I think we should start, in addition to "signing" w/ md5 and sha-1,
>> using sha-256 as well.
> I have a question: why are you still using md5/sha1 for generating file
> hashes in the first place?
> Noone with knowledge of hashing algos would use these hashes to validate
> a file's authenticity.

Uhm, noone uses hashes to validate authenticity unless they are transmitted
through an entirely distinct channel. E.g. not your internet connection.

They are useful for file completeness/error checking only. I'd agree there is
zero purpose in retaining SHA1 when SHA256 is in place. MD5 has the one
distinction of being ubiquitous even on ancient OS's.

> Bottom line is that you lull people into a false sense of security by
> providing md5/sha1 hashes. People, who don't know that these algorithms
> have been broken already, might think that they are safe (by checking
> the file against the md5 hash) while in reality they are not.

And SHA256 is a means to authenticate how, exactly?

We provide .asc pgp signatures exclusively for that purpose.

View raw message