1. I didn't ask you to agree with me. This far into our online discussion, we don't seem to even be communicating. I was merely asking for some resolution between two MD5-related blog entries and your comments to me.
2 & 6. "I never made a specific recommendation that people should use MD5 ..."
The title of your original blog entry begins with the word "Use", not "Using". The word, use, is a directive or imperative for the reader.
3. It isn't just receivers of files who are readers of your blog entries. Software developers and program managers are amongst your readers. My comments were directed as much to the distributors of files as the recipients of the files.
4. MD-5 hash collisions have been detected and demonstrated by hash researchers. NIST (and others) recommends against using them for cryptographic functions and recommends the adoption of stronger or multiple hash algorithms for future applications. It shouldn't matter whether your articles were about passwords or file downloads. MD-5 has weaknesses and isn't a compensation for the trust relationship you might have the the source. There are man-in-the-middle exploits and rootkiit viruses that could take advantage of the MD-5 weakness(es) to distribute malware, even from a trusted source.
5. How I got to the article isn't important. I didn't know about the other article until your responses prompted me to look at the history of articles you'd written.
7. If someone disagrees with you, it is OK to pounce on them? If someone comments that the underlying technology might be flawed, it is OK to pounce on them?!?
It seems that we've spent a lot of time responding to comments without actually helping readers of this blog entry or the subsequent comments.
I even commented on one of my comments.
I'm not belittling this blog entry. It is a good thing for you to inform folks about hashing topics...definition, different algorithms, common uses, weaknesses. I think it is good for folks to know what tools are available when checking hashes.
That said, I think it is also important for folks to know about MD-5 weaknesses if they are planning/disigning/writing/deploying a file distribution system or might be relying on the strength of MD-5 to ensure integrity of the files they download from their trusted sources.
Keep Up with TechRepublic