-
-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Progressively get rid of MD5 #1895
Comments
I'm all for migrating. We do need to harden the login session cookies anyway because it's a bit old hat. Since the move to a better algorithm will invalidate login cookies when we get to the md5s used there, it makes sense to do both at the same time to minimise disruption. |
Yep, 4.9 is probably a good moment to do it, since we tighten the security here and there. The public cookie is especially weak. Tokens are concerned too. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem?
Potentially.
What is the feature?
We currently use MD5 for all sort of hashes, both cryptographic and not. But
The only drawback of replacing MD5 seems to be that we use it also in some db queries, but this is not essential.
Thoughts?
The text was updated successfully, but these errors were encountered: