[upofadown]

>Avoid: HMAC-MD5, HMAC-SHA1 and such. The underlying hash function has to be safe.

Interestingly enough, there is a proof out there that more or less states the opposite for HMAC-MD5 and HMAC-SHA1:

* https://eprint.iacr.org/2006/043.pdf

The issue here is that MD5 and SHA1 are broken for collisions. But no one could figure out an actual attack for HMACs based on them. The linked paper is an attempt to explain that.

[woodruffw]

I think the phrasing in this post could be better, but the basic observation is sound: if the last use of a weak hash function in your codebase is in HMACs, then it’s better to upgrade to a stronger underlying hash function and apply a blanket ban to the weak ones. Similarly, in a greenfield codebase, there’s no reason to pick an HMAC construction based on a weaker hash when collision-resistant ones are universally available.