Looks like MD5 hashes are deprecated now....there has been security papers about possible generation of any MD5 hashed data using large computation.....(they used 200 networked PS3's if I recall) sometime around Xmas.
It caused a bit of a scare in the browser communities (IE/Firefox etc) as some of the SSL certificate authorities such as Comodo or a subsidiary thereof rely on MD5, although most have now switched to using SHA hashes. The worry was that while some recognised certificate vendors were still using MD5 there was the posssibility they could validate any site certificate even if they were using other hashes by supplying a valid MD5 verifification I understand. see http://www.heise-online.co.uk/security/25C3-MD5-collisions-crack-CA-certificate--/news/112327 "The infrastructure of Certification Authorities is meant to prevent this kind of attack, but despite warnings, some root CAs are still using MD5, leaving people potentially exposed to the possibility of forged certificates. The team found the following CAs still using MD5; RapidSSL, FreeSSL, TC TrustCenter AG, RSA Data Security, Thawte and verisign.co.jp. They collected 30,000 certificates and found 9,000 of them were signed with MD5 and of them, 97 per cent were issued by RapidSSL. Because of this and other attributes of RapidSSL's procedures, such as use of sequential serial numbers in issued certificates, the researchers examined RapidSSL's certificates in greater depth. By purchasing a certificate and then getting it reissued a number of times, data allowing prediction of the serial number was obtained, allowing the researchers to generate the certificate data to be signed over the course of just a few days. The predicted serial number was then passed to the Playstation 3 cluster which was asked to calculate both legitimate certificate data and bogus certificate data, which when MD5 hashed, would collide. When it came to the time the predicted serial number would be used by the CA, the researchers purchased a new legitimate certificate, hoping to get a certificate with the same serial number as they had predicted. It took four attempts to get the methodology to work and actually get a certificate with the same serial number, but the signature of the issued certificate was now valid on the bogus colliding certificate because of the MD5 collision." I understand RapidSSL hurriedly switched in January... I presume this means for Delphi its a good idea to use something else.....what do others use? John > This popped up on DelphiFeeds.com today > http://delphi.about.com/od/objectpascalide/a/delphi-md5-hash.htm > _______________________________________________ NZ Borland Developers Group - Delphi mailing list Post: delphi@delphi.org.nz Admin: http://delphi.org.nz/mailman/listinfo/delphi Unsubscribe: send an email to delphi-requ...@delphi.org.nz with Subject: unsubscribe
