Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Progressively get rid of MD5 #1895

Open
bloatware opened this issue Dec 9, 2023 · 2 comments
Open

Progressively get rid of MD5 #1895

bloatware opened this issue Dec 9, 2023 · 2 comments
Assignees
@Bloke @bloatware
Labels
core security

Comments

@bloatware
Copy link
Member

Is your feature request related to a problem?

Potentially.

What is the feature?

We currently use MD5 for all sort of hashes, both cryptographic and not. But

  • MD5 is not very reliable as crypto hash and could be replaced by Tiger-128, which is slightly faster too.
  • PHP8 implements XXH algo for non-crypto hashes, which is way faster.

The only drawback of replacing MD5 seems to be that we use it also in some db queries, but this is not essential.

Thoughts?
@Bloke
Copy link
Member

Bloke commented Dec 10, 2023
edited

I'm all for migrating. We do need to harden the login session cookies anyway because it's a bit old hat. Since the move to a better algorithm will invalidate login cookies when we get to the md5s used there, it makes sense to do both at the same time to minimise disruption.

@bloatware
Copy link
Member Author

Yep, 4.9 is probably a good moment to do it, since we tighten the security here and there. The public cookie is especially weak. Tokens are concerned too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Bloke Bloke

@bloatware bloatware

Labels
core security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Bloke @petecooper @bloatware