Point is - you know nothing about cryptograpy, right ?
Posted Dec 17, 2007 22:46 UTC (Mon) by khim
In reply to: SquirrelMail 1.4.13 released - older versions compromised
Parent article: SquirrelMail 1.4.13 released - older versions compromised
I'm not familiar enough with the weakness of MD5 to judge the complexity of an attack which doesn't just use a suffix. It may be simply slightly marginally more difficult to find a collision if you modify the tail instead of appending; I dunno.
It's quite easy to find a collision if you can just modify something in the middle of file (like piece of documentation noone cares about or just some picture). But all such attacks will only work if "black hat" can alter the tarball after it's created and official signature is created. If "black hat" can alter your tarball at this stage then you have a lot of much bigger problems then just MD5 collision: he or she can just add backdoor directly to source, create tarball and sign it - why bother with MD5 collisions at all ?
to post comments)