Get real. Read about the actual problems. Bthe issue is that there is a theoretical problem that a manufactured duplicate collision could be manufactored in something like time 2^82, something that nobody has actually be able to do.
Sure, SHA-1 has a known weakeness. It's replacement probably has an as yet unknown weakness as well. If you were starting over from scratch, you wouldn't want to use SHA-1 to avoid wasting time with discussions like this. See also RC4. But the problem with SHA-1 doesn't justify the inconvenience of changing it. Now, all that said, if the only use of SHA-1 is to flatten the "master key" in SRP into a session key, then there is no dependency on SHA-1 as a cryptographic hash, only as randomizing hash, and the weakness is irrelevant. But if it's used to store passwords, that's a security problem so huge that any SHA-1 weakness doesn't even come into it. Context is everything. On Sunday, July 26, 2015, Mark Rotteveel <m...@lawinegevaar.nl> wrote: > I have brought this up before, and it might be a bit annoying that I do > so again, but I remain concerned by the fact that we are about to ship a > product (Firebird 3) that uses hashing and encryption algorithms (SHA-1 > and RC4) that most in the industry consider outdated and (relatively) > insecure. > > Organizations are taking actions to deprecate and disable both (eg > Oracle disabled RC4 in TLS in Java 8 Update 51, the IETF now prohibits > the use of RC4 in TLS, https://tools.ietf.org/html/rfc7465). > > They might still be strong enough for now, but I am also concerned about > the public image impact of releasing a product with a new security > feature that uses algorithms considered insecure by todays standards. > > Mark > -- > Mark Rotteveel > > > ------------------------------------------------------------------------------ > Firebird-Devel mailing list, web interface at > https://lists.sourceforge.net/lists/listinfo/firebird-devel > -- Jim Starkey
------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel