> > Great. Could you please show me the link to files that have the same > length > > and MD5 as those in the 4.1 release? > > That means nothing. If the OpenBSD project used a CRC16 to verify > integrity, > your argument would still hold.
I wasn't aware that I made an argument. I simply asked a question, and the reason why you're unable to answer the question is that it is still hard to find collisions to the files in the 4.1 release in a way that it is not hard to find collisions in .exe's, scripts, postscript documents (which are themselves code to be interpreted by printers), etc. everything, I do not understand the motivation behind not using a secure > algorithm such as SHA-256 or SHA-512. > Your point is taken, however, can you illustrate the threat against which the stronger hash is to protect? If the threat is that someone will redirect you to a fake openbsd.org (through DNS cache poisoning, etc.), the stronger hash offers no protection. If there's a man in the middle, it similarly offers you no more protection, and the same is true if someone manages to hack openbsd.org and upload different binaries. I agree that there are stronger cryptographic hashes, but should they really make you sleep better at night? You used phrases such as "known to be insecure" and "MD5 is dead". My question is "dead for what purpose?". MD4 is certainly more insecure than MD5, yet I suspect that many of us use rsync daily and don't give it another thought.