summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorBruno Haible <bruno@clisp.org>2010-08-10 01:56:36 +0100
committerPádraig Brady <P@draigBrady.com>2010-08-15 01:02:44 +0100
commit9e900e81dbb64c529a99abf6520d95245897cf84 (patch)
tree5013cfde75539407aab679823e98e62681c724d6 /doc
parentb5f9a6a176a32d73745fc61366c26f2c1ff9fca7 (diff)
downloadcoreutils-9e900e81dbb64c529a99abf6520d95245897cf84.tar.xz
doc: improve the info on md5sum security weaknesses
* doc/coreutils.texi (md5sum invocation): Mention currently known security problems. Don't recommend SHA-1 as alternative. * man/md5sum.x (BUGS): Warn about the vulnerabilities and reference the SHA-2 based alternatives. Reported by Simon Josefsson
Diffstat (limited to 'doc')
-rw-r--r--doc/coreutils.texi14
1 files changed, 6 insertions, 8 deletions
diff --git a/doc/coreutils.texi b/doc/coreutils.texi
index 66309b183..f6d85f7e4 100644
--- a/doc/coreutils.texi
+++ b/doc/coreutils.texi
@@ -3414,14 +3414,12 @@ options}.
Note: The MD5 digest is more reliable than a simple CRC (provided by
the @command{cksum} command) for detecting accidental file corruption,
as the chances of accidentally having two files with identical MD5
-are vanishingly small. However, it should not be considered truly
-secure against malicious tampering: although finding a file with a
-given MD5 fingerprint, or modifying a file so as to retain its MD5 are
-considered infeasible at the moment, it is known how to produce
-different files with identical MD5 (a ``collision''), something which
-can be a security issue in certain contexts. For more secure hashes,
-consider using SHA-1 or SHA-2. @xref{sha1sum invocation}, and
-@ref{sha2 utilities}.
+are vanishingly small. However, it should not be considered secure
+against malicious tampering: although finding a file with a given MD5
+fingerprint is considered infeasible at the moment, it is known how
+to modify certain files, including digital certificates, so that they
+appear valid when signed with an MD5 digest.
+For more secure hashes, consider using SHA-2. @xref{sha2 utilities}.
If a @var{file} is specified as @samp{-} or if no files are given
@command{md5sum} computes the checksum for the standard input.