About that Weak Hash (MD5) Scanner Problem

I hate it when a vendor of a product I use starts throwing FUD (fear, uncertainty, and doubt) around, but I’ve been in the security and cryptography space since the early 1990’s and know that pissing matches are common.

Today Wordfence published a blog post describing a “Weak Hash Scanner Problem”.

A ‘hash’ is a cryptographically-derived string of digits whose intention is to uniquely identify a body of software code or any other digital object. The idea is that if someone changes even a single bit in the object. the hash for it will be drastically different.  Many years ago I was involved in a project to use hashes and digital signatures to guarantee the integrity of digital X-ray images.  There are many mathematical algorithms for generating a hash.  One of the oldest is called MD5.  One of the newest (and strongest) is called SHA-2.

The thrust of the Wordfence blog post is to beware of systems that use an MD5 hash to check and verify the integrity of a digital object because there are known vulnerabilities in MD5.  Wordfence then goes on to impugn one of their competitors, Sucuri.net, for using MD5.

I am also a Sucuri.net customer.

Some facts:

1. The WordPress repository uses MD5. Therefore if you want to check the integrity of a WordPress core file or plugin against the official WordPress repository you have no choice but to use MD5. This is exacty what the free version of Sucuri’s WordPress plugin does.
2. Sucuri’s fee-based malware scanner, firewall, and none of their core services use MD5

This is not Wordfence’s first attempt to throw FUD upon it’s competitors (see ‘About the Cloud WAF Bypass Problem‘).  It is interesting to note that Wordfence’s pissing began shortly after they drastically raise their prices.  While Sucuri’s price is still higher than Wordfence’s price, I’ll bet the difference is now small enough to make many people weigh the two and choose Sucuri’s product.