What's the cost to switching to something other than MD5 here, though? I agree that users not checking download links is likely more probablistic. But as checking the sums is already entirely a manual process, what's the trouble with switching to sha256 now abd stating this in the DSA mails? No, there probably won't be another major md5 break in six months. Or maybe a year, or two, or... However, the both of us well know that the attacks here won't do anything but get better. Even if it's not a thing to sound a fire drill about, I have to admit that hearing that Debian's going to continue moving forward with md5 until an unspecified somewhen date in the future is a bit disappointing. Not (yet) the end of the world, but I would like to understand the reason (cost) for the pushback here. – S -----Original Message----- From: Florian Weimer <fw@deneb.enyo.de> Sent: Saturday, January 03, 2009 08:23 To: Skywing <Skywing@valhallalegends.com> Cc: Steven M. Bellovin <smb@cs.columbia.edu>; NANOG <nanog@nanog.org> Subject: Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

Then again, I just got yet another Debian DSA mail which has plaintext download links for new binaries. The integrity verification mechanism for said binaries is, you guessed it: PGP-signed md5sums.

I can assure you that you will continue to receive these messages for a while (unless you unsubscribe from the relevant mailing lists). Our rationale is that in order to carry out currently known attacks on MD5, you need to create a twin of documents, one evil and one harmless. In Debian's case, we prepare the data we sign on our trusted infrastructure. If someone can sneak in an evil twin due to a breach, more direct means of attack are available. In practice, the download links themselves are the larger problem because users might use them without checking anything. Eventually, they will go away, together with the MD5 hashes. Newer versions of APT also use the SHA-256 checksums embedded in the Release and Packages files.