[tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jul 18 22:46:38 UTC 2017
#22971: The XPI signing mechanism needs to use different hash functions.
------------------------------------------+----------------------
Reporter: yawning | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
https://wiki.mozilla.org/Add-ons/Extension_Signing
Signing 2 hashes of a manifest file containing 2 hashes each of every file
in an archive, especially when "2 hashes" is MD5 and SHA1 is
cryptographically unsound.
See Joux, A., "Multicollisions in Iterated Hash Functions. Application to
Cascaded Constructions".
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22971>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list