Web Security Thread

ITT we discuss web security.

>>57

preimage resistance doesn't mean much in the context in which MD5 was used

Preimage resistance means a lot actually.

just being able to quickly but non-exhaustively bruteforce short ASCII strings is enough to extract a lot of cleartexts

MD5
Don't use shitty short passwords? You only need 20 characters (0-9a-zA-Z) to reach 128 bits of security.
In fact, if your hashed password has been leaked, what is the point of protecting the actual password? Chances are that the rest of the information about your account have been leaked and tampered with. This is why you should use public key authentication instead.

the other way people used MD5 in crypto was in certificates, and this was obviously vulnerable to collisions

Collisions in certificates only matter if you need to sign someone else's data (such as in OpenPGP and in cases with CAs). It is not an issue if you are a CA and you generate the certificate yourself, it is not an issue if you use OpenPGP + MD5 and never sign other people's keys, it is not an issue if you use a self-signed certificate.

https://trailofbits.files.wordpress.com/2012/06/flame-md5.pdf

The issue here was that the generated certificate was attacked-controlled (a common issue when you rely on a 3rd party CA) and was signed by MS afterwards. We know that MD5's collision resistance is broken so it was a stupid move by MS to use it for something that needed collision resistance.

Meanwhile MD5 is totally safe for things like self-signed certificates and password hashing. It is also safe if used with any algorithm that only needs preimage resistance such as Ed25519 or SPHINCS(+).