Hacker News new | past | comments | ask | show | jobs | submit login

In theory there are no new security implications, since you shouldn't be using MD5 for secure stuff anyway. The writing has been on the wall for MD5 for a while. This is just another interesting nail in the coffin. It's getting easier and easier to do thing with MD5 that you shouldn't be able to do.

It's still not trivial at all to introduce a payload and make it so the whole package matches a MD5 hash. Haven't seen a PoC ever do this.

Would recommend to go SHA anyway.

Several proofs of concept have been listed elsewhere in the thread.

Thanks, they weren't there when I posted. Will look into that.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact