-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stop using md5 hash #1422
Comments
We're not using MD5 for anything regarding authentication or security. We use MD5 as a "fingerprint", to verify whether the file we have received hasn't been corrupted during upload. For that purpose MD5 is fine, since we're interested in the quick checksum, not in cryptographically-secure hashing. It's true that MD5 can have issues with collisions, but I'm not sure what an attack vector would be in this case - user manufacturing two files with the same MD5 checksum? I don't think this can be used maliciously in any way, while the probability that a random file upload corruption will produce two identical MD5 hashes is still very low. |
MD5 is not necessarily faster than SHA1 |
MD5 is still widely used for fingerprinting files and completely fine for these use cases. Changing from MD5 to SHA1 (or any other algorithms) requires re-checksumming of 1.2 million files and would possibly break existing API integrations relying on getting MD5 backs. Thus, it's not a simple change of a text string from |
Ok thanks |
Hi, on zenodo, to "verify file integrity", the MD5 hash is provided.
It's usually suggested to use something else (example).
Becuase of NSA involvements I don't trust SHA (that might have backdoors in it, explanation), but at least there are no known collisions (like there are for md5)
The text was updated successfully, but these errors were encountered: