Login

04-14-2010, 09:12 AM

[eluser]Jelmer[/eluser]

Quote:That’s all assuming the MD5 seed is random. Since you use time() as basis, the possible MD5 outcome is reduced incredibly. That and the fact that you’re not trying to break MD5, just try to accomplish a collision, makes the chance a lot more likely.

For example. Time gives the current timestamp. This ‘simply’ generates 60 hashes per second which are predefined. That’s a lot less ‘probability’ than what you are proposing.

As I mentioned, what I posted was a quick fix and in no way a good way to go (I edited my previous post to point that out). You should of course create a far more secure token then the one I posted.

Quote:But the point wasn’t that MD5 is insecure, or that brute-forcing MD5 isn’t that hard these days. The point is that if you don’t use GET but a simple POST request (including a nonce), all these problems go away. Not only that, but you are implementing the HTTP specs as it was intended.

POST is probably twice as secure as GET, but that doesn't really matter as it's still possible to unknowingly post stuff to a system. And while I agree with you that POST is the better way to go, it is wrong to think that makes it a lot more secure and if someone prefers to do it using the URL it's not the security concern that should keep him/her from that. Brute force is just as much possible with POST as it is with GET.
To suggest that using post makes "all these problems go away" is a wrong statement as POST isn't a protection against CSRF in any way. Attacks using post maybe more rare and harder, but they're not impossible and should be taken seriously.

Brute-forcing MD5 is still pretty implousable by the way, it's a bit more complex to break but indeed not impossible. As long as you generate your hashes using multiple non-public variables there's no chance of someone breaking it within a plausible timeframe, so MD5 is secure enough as long as you implement it right.