SHA instead of MD5?

[sdenike]

I have heard that MD5 is not as reliable these days and SHA would actually be a better way of checking. Any plans to change to SHA or give a flag to choose either MD5 of SHA?

[eriktorsner]

Good point. If so, a flag would be the way to go. Indeed MD5 is considered less secure than SHA1, it's a lot less likely that a modified has the same SHA1-hash as the original. But for practical purposes in terms of detecting modified files in a WP-install. I think the risk is still very low.

The reason that I went for MD5 is that wordpress.org has an API for checking the core of WordPress. That API is the backend the built in core verify-checksums command. Considering the availability of SHA1 in PHP 4+, it's slightly surprising that wordpress.org uses MD5 instead of SHA1. But anyway, that was the reason wp-checksum uses MD5 over SHA1

The wp-checksum command is backed by an API (api.wpessentials.io) that caches the hashes for all plugins it's already checked. The obvious downside is that the cache will be a little more than twice as large if SHA is to be an alternative. Currently at about 1000 plugins with 28000 individual plugin versions, the cache is around 250 Mb.

Another consideration is how to modify the API. Send both SHA and MD5 sums and let the client decide what to use, or different API endpoints for each type of hash?

Should be fixed but requires some analysis.

[eriktorsner]

Realized one more thing.

Some of the premium plugin vendors have been willing to help contributing their checksums (i.e check http://api.wpessentials.io/v1/checksum/plugin/gravityforms/2.0.2). A few hav done so by sending md5 hashes citing "we already have that internally" as the reasons.

So for some plugins, wp-checksum will only ever be able to compare against md5 hashes.

[eriktorsner]

I'm keeping this issue open, I just want to add some additional comments.

I was on the verge of closing this issue and just accept that md5 still is a wide spread defacto standard for file hashes. However, Google recently announced that they now have a proof-of-concept method of creating collisions in sha1 hashes and that made me think. Should a tool that was first developed in 2016 really rely on MD5 for cryptographic hashes?

The purpose of wp-checksum is obviously to increase WordPress security by offering a tool that detects modified files. While I never heard of a WordPress hack where a hacked file retained the same md5 hash as it's original version, the mere fact that it's possible is cause for concern. The obvious next step to increase the strength of hashes would have been to move to sha1 hashes, but with Google recent announcement, sha1 is slowly (but certainly) going to be considered a lesser hashing algorithm. A security tool that relies on MD5 isn't justifiable in 2017. But perhaps I should be glad that I didn't already start a transition towards sha1.

The recommended solution is to move on to use sha-256 instead so that is what I intend to do with wp-checksum. It's not going to happen overnight but it will happen. Since I'm also running a backend API with close to 40k plugins indexed, the pace of this transition might take some time.