On Tuesday, February 12, 2019, Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2019-02-12 13:37:20 -0500 (-0500), Wes Turner wrote:
MD5 is no longer suitable for verifying package integrity.
https://en.wikipedia.org/wiki/MD5#Security
The security of the MD5 hash function is severely compromised. A collision attack exists [...] there is also a chosen-prefix collision attack [...]
The difference between collision (or chosen-prefix collision) and preimage (or second preimage) attacks is still very relevant. With MD5 you can't trust that someone who provided you with an input and a hash of that input hasn't carefully crafted that input so that there is also a second input which results in the same hash. Or in package terms, you can't trust that the package you've received wasn't part of a contrived scheme on the part of someone you've already decided to trust. You can still rest assured (for now anyway) that the package you receive is the same one the person or system providing the MD5 checksum intended for you to receive.
It is possible to find a nonce value that causes an arbitrary package to have the same MD5 hash as the actual package.
But because trying to explain this nuance to people is considerably harder than just saying "MD5 bad" it's simply not worth trying to have the discussion most of the time, and so easier instead to replace it with a more modern alternative and move on with your life. -- Jeremy Stanley