Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

changed the hashing algorithm from sha1 to sha256 due to security problems #990

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

lucianidev
Copy link

hello,
in the issue #989 the user references a vulnerability in the hashing algorithm sha1. The hashing method resulted vulnerable to hash collision, making it insecure. I changed the hashing method from sha1 to sha256 making it more secure. Tell me about any problems.
I hope you have a good day

Documentation:
https://crypto.stackexchange.com/questions/48289/how-secure-is-sha1-what-are-the-chances-of-a-real-exploit
https://www.quora.com/How-secure-is-SHA1-What-are-the-chances-of-a-real-exploit
https://stackoverflow.com/questions/38038841/why-is-sha-1-considered-insecure

@jonchurch
Copy link
Member

sha1 is being used as a fast and efficient hash to detect changes in the session object

It is not cryptographically relevant, nor used for signing purposes.

@krko12345
Copy link

Hello team, is this going to be addressed at some point soon?
Session is being reported as vulnerability by monitoring tools because of its use of sha1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants