Document security considerations #2

New issue

Open

opened 2016-11-07 18:33:02 +00:00 by geoff · 1 comment

geoff commented 2016-11-07 18:33:02 +00:00 (Migrated from code.uplex.de)

Copy link

A general statement about security seems appropriate, in addition to some specific comments:

• The VMOD implements HMAC with SHA3_*, but the "double hashing" isn't necessary, since SHA3 is not vulnerable to length extension attacks. It's sufficient to just concatenate the key with a message (initialize a digest object with the key in vcl_init).
• MD5 and SHA1 are for legacy, and should not be used in new code.
• CRC32 isn't crypto.

A general statement about security seems appropriate, in addition to some specific comments: * The VMOD implements HMAC with SHA3_*, but the "double hashing" isn't necessary, since SHA3 is not vulnerable to length extension attacks. It's sufficient to just concatenate the key with a message (initialize a digest object with the key in vcl_init). * MD5 and SHA1 are for legacy, and should not be used in new code. * CRC32 isn't crypto.

slink commented 2023-07-07 15:23:21 +00:00 (Migrated from code.uplex.de)

Copy link

mentioned in commit 86a523ab10

mentioned in commit 86a523ab109a2cbcd0e2d32cbed5cad0ad0cc18e

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

vmod_vcs_version_nogitrepo

gitlab_ci

readme_refacto

vcdk_migration

7.3

6.0

7.0

7.2

6.6

6.5

6.3

6.2

6.1

5.2

5.1

5.0

4.1

branch-7.3

v1.7.0

v1.6.0

v1.5.0

v1.3.2

v1.3.1

v1.3.0

v1.0

v1.1

v0.2

v0.1

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

uplex-varnish/libvmod-blobdigest#2

No description provided.