[ipython]

I read through this hoping to have a reasonable discussion of the difference between preimage attacks (see https://en.m.wikipedia.org/wiki/Preimage_attack) and was disappointed when I did not see the topic mentioned once. :(

It is much more computationally feasible to create two inputs from scratch that hash to the same value than to forge an existing documents hash (the threat model I’m assuming they’re discussing in relation to the law).

As far as I know I am not aware of a demonstrated second preimage attack on md5. Not saying to keep using it, just trying to not spread fud.

Edit: I do see second preimage is mentioned about 3/4 of the way through the article. I confess that I did stop reading and started skimming before then.

[adrian_b]

The article mentions the fact that a successful second preimage attack is not always necessary.

A successful second preimage attack is needed if you want to make a second variant with the same hash like an already existing legal document.

However, when the original document is not yet in the possession of others (or there might be a way to destroy or replace their older copies), you can make more or less invisible modifications to it, so that a second different document will have the same hash with it. Then the altered original document can be handed to other parties, who will not notice changes from whatever had been agreed, while keeping an alternative document that can be shown later as having the same hash.

While opportunities for such a forgery should happen less often, it is much better to use a collision-resistant hash to completely remove this possibility.

[userbinator]

Yes, if you haven't already noticed, crypto is just a religion at this point, propagated by the "experts" who don't actually think and actively silence dissent.

[evouga]

I think it's simply that the blog author and commentators have an unrealistic threat model when it comes to how the legal profession uses MD5s.

After the first high-profile case where authenticity of evidence gets called into question because a seized electronic document was deliberately doctored to allow for a hash collision (if that ever happens), there will be a will to change to something new.

[refulgentis]

I doubt it, legal types won't see this as a math problem[1], but a legal problem (forging documents)

[1] unless I'm missing something, this boils down to: "given f(x: string) => y, how can I minimize the odds that you can generate an X for a desired Y"