Comment 9 for bug 1348339

Revision history for this message
Eric Hibbard (eric-hibbard) wrote :

Something to consider...when a crypto algorithm/function is used for what is perceived to be a non-crypto use, it introduces a bunch of baggage and should be part of the overall decision process. Some organizations are taking a VERY hard line when it comes to the use of things like MD5, SHA-1, RC4, etc. A generic question gets asked as to whether the code/application uses certain banned algorithms. If the answer is "yes" then its use is not permitted within the organization unless a waiver is approved (may not be an option). In such a scenario, the person wanting to use the code is put in the position of justifying the waiver and "accepting" the risks...often considered a career limiting move. I've also see crypto issues used as a way of down-selecting choices (vendor, code bases etc.).

It seems prudent to just make this problem go away by replacing MD5 with SHA-2, especially when we've found it. Coming back later to find these because of a data breach or other problem can be a massive waste of time.