Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate to sha384/512 on SRI hash calculation #11123

Closed
PeterDaveHello opened this issue Apr 23, 2017 · 9 comments
Closed

Migrate to sha384/512 on SRI hash calculation #11123

PeterDaveHello opened this issue Apr 23, 2017 · 9 comments
Assignees
@PeterDaveHello
Labels
💡 Help wanted 😎 Nice to Have 💭 Under Consideration

Comments

@PeterDaveHello
Copy link
Contributor

PeterDaveHello commented Apr 23, 2017
edited
Loading

Issues:

  1. We'll need a powerful and individual platform to focus on re-calcuating all the hashes over all the 950k js & css files?
  2. Should the origin sha256 hashes be preserved? Is the answer is yes, how do we deal with it? (How to display on the UI? How to save both sha256 and sha384 hashes?)
  3. How urgent we need it?
  4. How's the impact on performance on both hash calculation and website hosting? Especially the calculation time and memory consumption part.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
@PeterDaveHello PeterDaveHello self-assigned this Apr 23, 2017
@PeterDaveHello PeterDaveHello mentioned this issue Jan 22, 2018
Closed
@PeterDaveHello PeterDaveHello mentioned this issue May 23, 2018
Closed
@PeterDaveHello PeterDaveHello mentioned this issue Jun 23, 2019
Closed
@PeterDaveHello PeterDaveHello changed the title Migrate to sha384 on SRI hash calculation Migrate to sha384/512 on SRI hash calculation Sep 8, 2019
@danielfain danielfain mentioned this issue Sep 8, 2019
Closed
7 tasks
@MattIPv4
Copy link
Member

MattIPv4 commented Sep 8, 2019

Bringing @drewfreyling's comment from #13384:

I'm in favour of just offering up the SHA-512 values since it is:

If at some point we get fragmented browser support than I think providing multiple hashes makes sense.

@myshov
Copy link

myshov commented Nov 23, 2019
edited
Loading

@PeterDaveHello @MattIPv4
Hello guys
I think you should to prioritize this issue because SHA-256 and SHA-512 are susceptible to length extension attacks. I suggest to use SHA-384 by default because it has no this flaw https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks

@MattIPv4
Copy link
Member

cc @zackbloom @xtuc

@MattIPv4
Copy link
Member

We should keep this open as we are still looking at implementing this.

@MattIPv4 MattIPv4 reopened this Feb 23, 2020
@PeterDaveHello
Copy link
Contributor Author

Feel free to open a new issue for it(or maybe just use the opened pull request for discussion), as I was removed from the organization without any discussion and respect, just like some other members(I know it's not by you and you're not the one who's in charge for that), I'm now closing ancient issues I'm not working on so that I don't need to receive unnecessary notifications, thanks.

@xtuc xtuc reopened this Feb 23, 2020
@ExE-Boss
Copy link

ExE-Boss commented Feb 23, 2020
edited
Loading

Did you know that you can simply unsubscribe from issues you no longer wish to receive notifications for?

It’s what that button in the sidebar is there for.

https://help.github.com/en/github/receiving-notifications-about-activity-on-github/subscribing-to-and-unsubscribing-from-notifications#managing-your-notification-settings-for-an-issue-or-pull-request

This was referenced Feb 23, 2020
Open
Open
Open
Open
@MattIPv4
Copy link
Member

MattIPv4 commented Jun 3, 2020

Noting this down: the current SRI generation happens in https://github.com/cdnjs/tools/blob/master/packages/packages.go#L86 & https://github.com/cdnjs/tools/blob/master/openssl/sri.go

@klausenbusk
Copy link

I have opened a PR: cdnjs/tools#46

@xtuc
Copy link
Member

xtuc commented Jul 1, 2020

Thanks for your PR @klausenbusk! It already lgtm but I want to make sure which SHA-384/512 we should be using

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PeterDaveHello PeterDaveHello

Labels
💡 Help wanted 😎 Nice to Have 💭 Under Consideration
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@klausenbusk @xtuc @myshov @PeterDaveHello @ExE-Boss @MattIPv4