You may want to reread some of the article. I said:
"While MD5 is not the strongest cryptographic hash tool in the world these days, it is still generally useful for verifying file integrity when downloading software."
Then, in my most recent article, I said:
"Because downloading software involves an implicit trust in the provider of the software in the first place, the potential for abuse in file verification hashes is very slim. Because you do not get to choose the inputs that will match a given hash, you cannot simply generate two versions of a program ? one that is benign and one that is malign ? and use that to slip malware past someone?s defenses while providing an MD5 hash for verification that both software files match.
"On the other hand, because in authentication systems a password?s only function is to produce a given hash, and circumventing the security of the authentication system does not require tricking a human being into believing a second input to a given hash is the same as the first, the security implications of a hash algorithm?s collision weakness can be far greater than in the case of verifying a file download."
You might also want to more closely read some of what you are citing. From the Computerworld article:
"These results, while mathematically significant, aren't cause for alarm."
. . . and, finally, I never specifically recommended using MD5 over other algorithms. What I did is explain that the use of MD5 hashes for download verification is ubiquitous, and explain how to make use of it. If you find a download with a verification hash provided by a better algorithm, have at it -- there are some that provide SHA-256 in addition to MD5, for instance. Many, however, only use MD5.
What are you going to do if a given download provides verification only via MD5? You don't have many options. On one hand, you can use it -- which is as safe as the place where you're downloading it. On the other hand, you can choose to avoid it -- which is less safe, because now you aren't using anything to try to verify your download.
Here's a key statement from today's article, to help you understand why this isn't the terrible security vulnerability you think it is:
"Because downloading software involves an implicit trust in the provider of the software in the first place, the potential for abuse in file verification hashes is very slim."
. . . and, to wrap this up, here's my final sentence from this article about MD5 hash verification, with the part of the sentence that is actually relevant to the reason for what I do recommend bolded:
"Because so many open source software development projects use MD5 hashes for verification, it is a good idea to learn how to use it and keep an MD5 hash generating tool handy if you ever need to go outside of a secure software management system when installing software."
Thanks for reading and commenting. I wish you had read more closely.
Keep Up with TechRepublic