Opened 9 years ago
Last modified 9 years ago
#1375 new Enhancement
Should switch from md5sum to sha256sum
| Reported by: | bryanquigley | Owned by: | davea |
|---|---|---|---|
| Priority: | Undetermined | Milestone: | Undetermined |
| Component: | BOINC - API | Version: | 7.4.36 |
| Keywords: | Cc: |
Description
md5sum isn't secure anymore (https://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities)
The protocol should be extended to support sha256 at least.
Change History (2)
comment:1 Changed 9 years ago by
comment:2 Changed 9 years ago by
I don't believe there is a practical attack right now just if the md5sum is correct (over HTTPS let's say) and we're just attacking using the data downloaded file. Just best practice and it wouldn't hurt to have clients already support it when m5sum is broken worse.
The worst you might be able to do is try to brute force an app to crash and hope it breaks confinement and causes random damage. You couldn't inject meaningful code (my understanding anyway).
Note: See
TracTickets for help on using
tickets.
What is the attack scenario where a collision attack would break BOINC?
I think you need a preimage attack (which is still impractical even for MD5), not a collision attack.