This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] MD5s of the RIPE database, Deprecation of MD5 and safe authentication methods
- Previous message (by thread): [db-wg] MD5s of the RIPE database, Deprecation of MD5 and safe authentication methods
- Next message (by thread): [db-wg] MD5s of the RIPE database, Deprecation of MD5 and safe authentication methods
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Christiaan Ottow
chris at 6core.net
Tue May 5 21:08:38 CEST 2015
Hi Pierre, On 04/05/15 22:12, Pierre Kim wrote: > Dear Database Working Group Members, > > By reading https://labs.ripe.net/Members/kranjbar/password-management-in-ripe-database > , I see : "The MD5 hash is public, when running a single query (not > for bulk queries)." > I assume this was a known problem but the RIPE didn't alert that all > the hashs have been retrieved, although there were some urgency to > change the passwords or to use a safer authentication method. > > When I discussed it with RIPE NCC Security, I gave a 90 day disclosure > policy about this "public" information, starting from the 16 Apr 2015. What public information exactly do you mean? > The 90 day period can be adjusted by adding more days at the end if > RIPE shows a good progress of the migration. I wanted to do > responsible disclosure when I saw the RIPE Responsible Disclosure > Policy which is a Really Good Thing, I think. What migration? RIPE has changed the database scheme to hide passwords, recommended all MNTners to change their password, and offers stronger means of authentication. What more do they need to do right now? > According to the RIPE transparency, as recommended by RIPE NCC > Security, therefore I am now contacting this working group to work > together because deprecation of MD5 is an important change in the RIPE > database and it must be debated in a democratic manner. > > My analysis is simple: The MD5 authentication is broken for years and > it's time to change to a more secure method. I think people needs to > be encouraged to move to SSO authentication. Using MD5 now is unsafe > and dangerous, especially with unchanged 4 year-old passwords. > > Please share your thoughts about this situation. I will be happy to > debate with you. > At this point, I'm very curious as to: 1) What information do you plan to disclose in 90 days? 2) What do you expect of RIPE in that period? -- chris
- Previous message (by thread): [db-wg] MD5s of the RIPE database, Deprecation of MD5 and safe authentication methods
- Next message (by thread): [db-wg] MD5s of the RIPE database, Deprecation of MD5 and safe authentication methods
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]