Replace SHA-1 with a more secure hashing algorithm #8084
Comments
ytimocin
added
the
maintenance
|
👋 @ytimocin Thanks for filing this issue. A project maintainer will review this issue and get back to you soon. We also welcome community contributions! If you would like to pick this item up sooner and submit a pull request, please visit our contribution guidelines and assign this to yourself by commenting "/assign" on this issue. For more information on our triage process please visit our triage overview |
|
Add the link to the threat model. cc/ @ytimocin |
|
👍 We've reviewed this issue and have agreed to add it to our backlog. Please subscribe to this issue for notifications, we'll provide updates when we pick it up. We also welcome community contributions! If you would like to pick this item up sooner and submit a pull request, please visit our contribution guidelines and assign this to yourself by commenting "/assign" on this issue. For more information on our triage process please visit our triage overview |
|
We are not going to be doing this as of now since it may introduce unnecessary complexity, and we don't use SHA-1 in any part that is going to be a security issue. We can revisit based on the outcome of the security review. |
Area for Improvement
Right now, we use SHA-1 hashing algorithm in cases like hashing the resource IDs or creating ETags.
We should use a more secure hashing algorithm since SHA-1 is not recommended for production use: https://pkg.go.dev/crypto/sha1.
From its official documentation: "SHA-1 is cryptographically broken and should not be used for secure applications."
Observed behavior
SHA-1 is not secure enough.
Desired behavior
Update to a more secure algorithm.
Proposed Fix
rad Version
edge
Operating system
No response
Additional context
No response
Would you like to support us?
AB#13747
The text was updated successfully, but these errors were encountered: