On Tue, 24 Oct 1995, Dr. Frederick B. Cohen wrote:
[...] In the case of the trust being placed in MD5 by Netscape, the assumption being made (without adequate support as far as I can tell) is that an MD5 checksum cannot be forced, through a chosen plaintext attack, to yield checksums of 1, 2, 3, 5, 7, 9, ... on up to enough primes to allow the known plaintext attack that gets the RSA private key used to authenticate messages. As far as I am aware (and I may not be aware of everything) there is no reference work to support this assumption. If the assumption is wrong, then the whole SSL can fall to a selected plaintext attack launchable (presumably) through those general purpose Java aplets we have heard so much about.
The above paragraph is complete crap. - Andy, speaking only for himself.