Last week I needed an MD5 checksum to verify a file against a vendor’s published manifest. Old habit kicked in: open devtools, reach for the Web Crypto API, type one line. It failed on the spot:
await crypto.subtle.digest('MD5', new TextEncoder().encode('abc'))
// DOMException: Algorithm: Unrecognized name MD5No MD5. Not deprecated-with-a-warning — just absent, like it was never on the menu. That single rejection is the whole reason HashForge, the in-browser hash generator I keep bookmarked, ships its own MD5 routine instead of asking the browser. Here’s why the browser says no, and how HashForge works around it without uploading your file anywhere.
The Web Crypto API blocks MD5 on purpose
The digest side of the Web Crypto API supports exactly four algorithms: SHA-1, SHA-256, SHA-384, and SHA-512. That list is fixed in the W3C spec. MD5 isn’t missing because nobody filed a ticket — the working group left it out, along with MD4, because shipping a broken hash through an API named “crypto” invites people to misuse it.
MD5 has had practical collision attacks since 2004, when Wang and Yu produced two different inputs with the same digest by hand-tuning the message. By 2008 researchers used MD5 collisions to forge a rogue CA certificate. The hash is finished for anything where an attacker controls the input.
Here’s the part I find funny: the browser still lets you compute SHA-1, which Google and CWI fully collided in 2017 with the SHAttered attack. SHA-1 stayed in the spec for backward compatibility with existing protocols. MD5 never made the cut at all. The vendors drew a line, and MD5 landed on the wrong side of it.
I agree with that call for new code. The catch is that the rest of us still bump into MD5 constantly, and almost never for security:
- Vendor downloads still publish an MD5 next to the file
- S3 ETags are the MD5 of the object for single-part uploads
- Legacy rows store
md5(email)for Gravatar-style lookups - Plenty of internal tools fingerprint content with MD5 because it’s fast and short
So you hit a wall. The data is MD5, the browser refuses to compute MD5, and you would rather not paste a confidential file into some random “free MD5 online” site that ships it off to a server you’ve never audited.
How HashForge fills the gap
HashForge splits the work in two. For the SHA family it calls the native API — fast, audited, hardware-accelerated on most machines:
const ALGOS = ['MD5','SHA-1','SHA-256','SHA-384','SHA-512'];
async function hashText(text, algos, enc='hex'){
const encoded = new TextEncoder().encode(text);
const out = {};
for (const algo of algos){
if (algo === 'MD5'){
out[algo] = formatHash(md5(encoded.buffer), enc); // pure JS
} else {
const hash = await crypto.subtle.digest(algo, encoded); // native
out[algo] = formatHash(hash, enc);
}
}
return out;
}For MD5 it falls back to a self-contained JavaScript implementation — the classic safeAdd / bitRotateLeft / md5cmn routine you’ve seen in a dozen libraries, working directly on an ArrayBuffer. No dependency, no network call, a couple hundred lines of code.
Why MD5 is small enough to ship inline
MD5 is a Merkle–Damgård construction. It pads the message to a multiple of 512 bits, then chews through it one 512-bit block at a time, updating four 32-bit state words across 64 operations grouped into 4 rounds. The whole thing is integer addition, bit rotation, and a handful of boolean mixing functions. That’s it — no S-boxes, no lookup tables, no big constants beyond a sine-derived table you can generate in one line.
Because the algorithm is so plain, a correct MD5 fits in a few hundred bytes of minified JavaScript. SHA-512 by hand would be heavier and slower in JS, which is exactly why HashForge doesn’t reimplement the SHA family — the native crypto.subtle path is both faster and already vetted. You only drop to hand-rolled code for the one algorithm the platform won’t give you.
The privacy detail that actually matters
Files go through the same split. The page reads the file with file.arrayBuffer() and hands the raw bytes straight to either the native digest or the JS MD5:
const buf = await file.arrayBuffer();
const hash = await crypto.subtle.digest('SHA-256', buf);That arrayBuffer() call is the whole privacy story. The bytes are read into memory inside your tab and never touch a network socket. Open the Network panel while you hash a 200 MB ISO and you’ll see zero requests. Pull your wifi and it keeps working, because there was never a server in the loop. Compare that to the typical “online hash calculator,” which POSTs your file to a backend and trusts you to believe their retention policy.
Verify the output yourself in ten seconds
Don’t take my word that the MD5 path is correct — a hash tool that quietly mis-pads is worse than no tool. Hash the empty string and abc, then check against the canonical test vectors:
MD5("") = d41d8cd98f00b204e9800998ecf8427e
MD5("abc") = 900150983cd24fb0d6963f7d28e17f72
SHA-256("abc") = ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015adType abc into HashForge and you’ll get those exact bytes. I cross-checked them against md5sum and sha256sum on a Linux box before trusting the tool with anything real. Two-minute habit, and it catches a surprising number of broken implementations.
HMAC is native-only, and that’s the right limit
One place HashForge refuses to fill a gap: HMAC. It offers HMAC-SHA1/256/384/512 and stops there, because Web Crypto’s importKey plus sign('HMAC', ...) only accepts the SHA family. There’s no HMAC-MD5 button.
That’s correct, not lazy. If you’re computing an HMAC you’re authenticating something, and HMAC-MD5 has no place in new code. The tool steers you to SHA-256 by simply not offering the broken option — the same stance the browser takes on raw MD5, applied one layer up.
Which hash for which job
A quick field guide, because this question comes up every week:
- Matching a published checksum: use whatever the publisher used, MD5 or SHA-256. You’re catching accidental corruption, not an attacker, so a broken hash is fine here.
- Content fingerprint, cache key, dedup: SHA-256 if you have a free choice; MD5 only to match an existing system.
- Passwords: none of these. Use Argon2 or bcrypt. A raw SHA-256 of a password is still a leak waiting to happen.
- Tokens and signatures: HMAC-SHA256 at minimum.
If you want the actual math behind why MD5 fell and SHA-256 holds, Serious Cryptography by Jean-Philippe Aumasson is the clearest book I’ve found on collision attacks without drowning you in proofs. For the engineering side — where each primitive shows up in TLS, signatures, and storage — Real-World Cryptography by David Wong is the one I lend out most. Full disclosure: both are Amazon affiliate links.
Why I keep it bookmarked
The pitch is narrow and that’s the point. I need a hash, I can’t install a CLI on a locked-down work laptop, and I really don’t want to upload a file to a stranger’s server. HashForge does that one job: it computes all five digests at once, outputs hex or Base64, and runs on a text string or a dropped file. It pairs with the other browser-only tools I reach for — Base64Lab when I need to decode a token and PassForge when I need a random key — none of which phone home.
Try it: HashForge. Hash something, open your Network tab, and watch nothing happen.
Join https://t.me/alphasignal822 for free market intelligence.
📧 Get weekly insights on security, trading, and tech. No spam, unsubscribe anytime.
Leave a Reply