* Lutz Donnerhacke:
Unless the attack is not substantiated, wild actionism should be avoided.
Agreed.
Currently the attack looks like exploiting insufficient highest bit
handling of the internal state variables. This is a matter if the
protocol applies a random(!) padding directly before hashing.
Source?
Based on my extrapolation of the pseudo-paper, it also depends where
the padding is added, if some length information is protected by the
hash, and the overall purpose of the hash function. While MD5 has
certainly been broken, this doesn't seem to lead to immediate attacks
on real protocols.
(The impact on V3 keys could be interesting, though.)