Closed Bug 856190 Opened 7 years ago Closed 7 years ago

Firefox for Metro uses MD5 as a secure hash algorithm

Categories

(Firefox for Metro Graveyard :: Browser, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: briansmith, Unassigned)

Details

MD5 should not be considered a secure hash algorithm. In metro/base/content/browser.js, it is used to compress URIs in the function pinSite. Instead SHA256 should be used.

As a general rule, nobody should ever be using MD5 for any purpose.
> As a general rule, nobody should ever be using MD5 for any purpose.

What exactly is the concern here? Hash functions have uses outside of security and it is used in this case to generate an ID which we don't care if it is reversible via a dictionary attack or any other attack.  Unless it makes the machine insecure for some reason I'm not sure why we need or want to do this.
The hash is used to compress a URI to identify that URI. So, how is that not security-sensitive? The comment says that a unique identifier per site is needed but MD5(site) doesn't give you that property because MD5 is broken.
> The hash is used to compress a URI to identify that URI. So, how is 
> that not security-sensitive?

security sensitive in which way? Do you mean privacy wise? They can just see the URL anyway if pinned to the start screen no matter what the ID is. 

> The comment says that a unique identifier per site is needed but MD5(site) 
> doesn't give you that property because MD5 is broken.

No hashing function gives you a unique value but it gives you a close enough to unique value.
marking as invalid since we're not using hashing for security, just to generate an ID.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
No longer blocks: metrov1triage
You need to log in before you can comment on or make changes to this bug.