Why do people still use MD5?

Jace Cruz
Jace Cruz

Why companies continue to use MD5. It so difficult use sha256

Jonathan Sullivan
Jonathan Sullivan

Because you don't check the sums anyway

Benjamin Nguyen
Benjamin Nguyen

You'd better ask why developers don't add PGP signatures to distributed binaries.

Julian James
Julian James

(((Oracle)))

found your problem

Hudson Allen
Hudson Allen

Because it works and you're stupid.

Jeremiah Adams
Jeremiah Adams

speed. if i want to just check that a file downloaded or transferred correctly and the site or it's just a disk to disk transfer and I know it's already good and i don't want to waste the additional 0.5s that better hashing algo's will take.

William Peterson
William Peterson

b-but the NSA is watching muh HTTP request to gayfaggot.com with billions of servers just waiting to collide the hash!!!

Leo Perry
Leo Perry

Yes, they really are fucking waiting to do that if you are a target of interest.

Jose Nelson
Jose Nelson

Don't be silly, that will only happen if you use (((https)))

Jackson Butler
Jackson Butler

Because companies host their stuff on their own website.
If the sha256 hash and the content associated come from the same source (same server), the hash is only good for error checking.

Asher Morales
Asher Morales

Do you think the NSA can really patch in a backdoor and add enough filler to dupe the MD5 code and keep the file size small enough so that you won't notice?

Angel Garcia
Angel Garcia

If it's something many people access and do so often, then yes. Like say for example, the linux kernel source code tarballs. Or certain gentoo or arch packages of importance. Use your imagination.

Gabriel Wright
Gabriel Wright

implying they do not already have all recent unique content seen on HTTP already cached and cracking

Evan Williams
Evan Williams

Well fucking duh. You're supposed to verify with other sources that the hash is correct.

Jack Nguyen
Jack Nguyen

If everyone else got the faked file, how do you ever know it is correct?
implying they don't already have all content, http or https, cached and being cracked
they don't, it is a crack on demand thing. Not needed for http obviously.

Adrian Morgan
Adrian Morgan

how do you ever know it is correct?
Because theoretically they'd find out at some point if the file is bad. If someone's reported hash from 6 months ago matches yours, you're probably fine.

Mason Rivera
Mason Rivera

why do companies still have XSS vulns?
why do companies still have SQLi?
why do companies still have RCE?
why do companies still use web?
why do companies be SJW?
why do companies recall 500 products a year?
why do companies run outdated software and software with bad reputations?
why do companies make IoT?

wait if you got a file from a site there's literally no point in it providing a hash unless you have some piece of shit HDD. it either uses HTTP, in which case MiTM can just replace the hash, or HTTPS, in which case the file integrity is already "assured" by HTTPS, and having the hash there provides no extra protection. you should be using something proper like OpenPGP anyway

Zachary Diaz
Zachary Diaz

This
You can use MD5 if it's PGP signed there's nothing to worry about.

Nicholas Gonzalez
Nicholas Gonzalez

but I do
this is a bit more work to check
they have sha256 sums for VirtualBox and Java, though
lolwat?
are you implying that (((https))) is less safe than (((http)))?
if the hash is served over https and the content over http, then it's more than regular error checking.

Chase Thompson
Chase Thompson

For a firmware updater I wrote, I get hashes over https then download the firmware unencrypted (it's fairly large, about 160MiB). GnuPG would be a bad idea as it's a lot of bloat to have to install on a system, there's a lot of additional complexity in handling all that and maintaining trust, it requires a different set of credentials than everything else, and it requires clock synchronization for proper trust which isn't practical as many networks block NTP (yes I know they shouldn't).

Oliver Green
Oliver Green

proper like OpenPGP anyway
... which is used to sign the checksums.

Eli Robinson
Eli Robinson

many networks block NTP
WAT
any proofs on that?

Caleb Perez
Caleb Perez

reeee don't use MD5 anymore
Triggered much? MD5 works fine for checking file integrity. No need to use SHA256 for that. You seem to have the newer == better mentality. You're not right friend.

Nathan Cook
Nathan Cook

what is blake2
I'll tell you what it is: superior to MD5 in literally every way

Camden Miller
Camden Miller

I am proofs. I've been building networking devices for two decades and I'm telling you what I run into.

Austin Gray
Austin Gray

Which ports are commonly open besides 443 and 80?

Hunter Murphy
Hunter Murphy

The issue isn't inbound blocking, it's outbound/session blocking. Even when traffic originates inside the network, the replies are thrown out. NTP is the first that caused me trouble as more retards started tinkering with firewalling, but now major websites are often blocking ICMP unreach replies /to their own traffic/. Zendesk does this, for example.

Noah Wright
Noah Wright

So in this case which ports are safer to use for traffic that must go in both directions and besides 443 and 80?

Joseph Phillips
Joseph Phillips

I really don't understand what you mean. Safer in what way? What is it that you're trying to do?

Jeremiah Wright
Jeremiah Wright

safer = less likely to be blocked in a random oppressive network.

Noah Garcia
Noah Garcia

and I'm trying to do somewhat censor proof tunnel, but it must not use 443 or 80 ports because (reasons)

Mason Adams
Mason Adams

For checking integrity against random bitrot, sure. For verifying whether the package has been tampered with in transit, not so much.

Evan Reed
Evan Reed

Oh, what you want is to have a rendezvous outside of the network. Like a STUN server or whatnot - you can reuse whatever anti-NAT tech you prefer. Then establish the connection out and listen on the remote for connections so you don't have to deal with firewalls/IDS blocking incoming.
The VPN service I built for my company uses EC2 boxes for this (I have them connect their branch offices via cellular which are a shitshow for incoming), but be aware that IPs on cloud services are heavily abused and you'll have to deal with being blocked by many websites.

Disable AdBlock to view this page

Disable AdBlock to view this page