
EFF's 2011 Holiday Wish List - llambda
https://www.eff.org/deeplinks/2011/12/effs-holiday-wish-list
======
davorak
Not a security expert here but it seem like akamai should also be required to
use a root CA that does not use md5 for it's encryption. It am under the
impression that md5 based encryption has been broken since 2008:
<http://www.win.tue.nl/hashclash/rogue-ca/#sec71>

~~~
ordinary
MD5 is not an encryption algorithm. It is a hashing algorithm. You're right
though, it is broken.

~~~
Dylan16807
The authentication is based on encrypting said hash, so I would say that
md5-based is good enough as a description.

------
marquis
Regarding "All software downloads should be provided only over HTTPS", this is
very expensive to provide, but is allowing users to compare a checksum an
equally secure option?

~~~
jpiasetz
What's to stop someone in the middle changing the checksum on the page?

~~~
fuzzmeister
The download page could still be served via HTTPS, even if the download itself
isn't.

------
drx
Must be cool for Colin to have Tarsnap featured there ( _as secure backup
provider Tarsnap puts it, "[b]ackups are supposed to be a tool for mitigating
damage — not a potential vulnerability to worry about!"_ )

