As to weaknesses, I seem to remember that someone managed to forge a modification to a program used to observe networks on a Sun so that it had the same MD5 checksum as the official trusted version. But whether this is real is not strictly the issue.
Ron has not mentioned such an event to me and if that were the case I would seriously doubt that he would not have been told about it. The only comment he
generally makes is that he wrote MD5 because "MD4 was making me nervous".
In the case of the trust being placed in MD5 by Netscape, the assumption being made (without adequate support as far as I can tell) is that an MD5 checksum cannot be forced, through a chosen plaintext attack, to
Netscape do not simply use the MD5 of the message, they are using (as I understand it) the PKCS#1 standard for makoing the signature. If not they probably have severe problems.
There has been no limit given by anyone on this list to the level of trust they place in MD5. Several people have posted (without contention) that MD5 is sufficiently trustworthy to trust billions of dollars in commerce to it's being able to prevent a selected plaintext attack as eluded to above.
NIST and the NSA trusted MD4 sufficiently to base SHA upon it. SHA is preferab le in many ways to MD5, it has a different approach to extending the scheduling a nd resist differential cryptanalysis. There is a problem with the compressor function of MD5 which I dislike. This is fairly irrelevant though since SSL allows other digests to be used.
Phill
I hesitate to jump in to this exchange given the defensive and vague nature of the discussion, but... While I agree that SHA seems preferable, for a number of reasons, to MD5, it is worth noting that Hans Dobbertin of the German Information Security Agency recently found a collision in MD4. His attack allows you to generate a pair of plainexts that generate the same hash. A fast technique for finding a second plaintext that hashes to some given value remains an open problem with MD4 (and SHA and MD5, for that matter). As far as I can tell the attack does not readily generalize to MD5 or SHA. -matt