RE: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

Of course, md5 *used* to be good crypto.

– S

See for
the links, but MD5 has been suspect for a very long time.

Dobbertin found problems with it in 1996. The need for caution with it
was not just knowable but known, and stated publicly. I'm sure others
did so as well; I can only easily quote my own works. From the second
edition of my Firewalls book, in 2003:

  Additionally, \i{SHA} has replaced \i{MD5}, as the latter
  appears to be weaker than previously believed.


  Hints of weakness have shown up in MD5 and RIPEMD-160; cautious
  people will eschew them, though none of the attacks are of use
  against either function when used with HMAC\@.
  As of this writing, the \i{NIST} algorithm appears to be the
  best choice. For many purposes, the newer versions of SHA are
  better; these have block sizes ranging from 256 to 512 bits.

Even if that were not enough, Wang et al presented the actual
collisions in 2004. There have been many updates and patches to more
or less everything since then...

Yes -- if you pick something that's very weak, you can get caught by
surprise. But modern algorithms don't fall all at once.

I should add, of course, that if you use bad algorithms or bad
protocols, it doesn't matter where you store the public key. When I
said that the update problem was easier, what I was saying is that
you're not relying on outside parties for verification of identity,
etc., it's all your own data.

    --Steve Bellovin,