FYI: Stronger Hashes

Talk about internet security, computer security, personal security, your social security number...
Post Reply
User avatar
therube
Ambassador
Posts: 7409
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

FYI: Stronger Hashes

Post by therube » Mon Jun 01, 2009 7:17 pm

Stronger Hash Support for Secure Installations and Updates

Ever since released our file release system (including secure updates and installations of .xpi files) we've planned on improving the support of hashes. We didn't originally realize that md5 was no longer on the list of hashes, and with sha1 having its own share of problems recently, the need for stronger hashes was increased.

So finally we have dropped support for md5 as well and support only the stronger hash mechanisms (sha1, sha256, sha384, and sha512). We still auto-detect the hash type by the length of the hash submitted in the file management tool, so the procedure is exactly the same. Any existing md5 hashes are still in our system and presented by our secure install links but are considered deprecated.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090403 SeaMonkey/1.1.16

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: FYI: Stronger Hashes

Post by Tom T. » Tue Jun 02, 2009 10:00 am

SHA-1 is "stronger"? It's coming under heavy fire. Why not just go to -256+ until the US Gov finishes the new hash competition?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

User avatar
therube
Ambassador
Posts: 7409
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: FYI: Stronger Hashes

Post by therube » Tue Jun 02, 2009 3:00 pm

Stronger then MD5. (And CRC-32.)
But for the purposes intended, I would have to assume that SHA-1 would be more then sufficient.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090403 SeaMonkey/1.1.16

Post Reply