apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Helmut Tessarek <tessa...@evermeet.cx>
Subject Re: digest functions and validation
Date Sat, 03 May 2014 02:09:22 GMT
On 02.05.14 21:29 , William A. Rowe Jr. wrote:
> I would suggest that is a role for more cryptographic or hash provider
> libraries.  These were included based on their prevalence in web and similar
> protocols, not for cryptographic strength.

I agree to a certain degree, but the use of digests has shifted over the past
few years. While md5 and sha1 have been used to store passwords in tables or
files for web access in the past, now bcrypt and sha256/sha512 are used.

I'm just saying that the current digest implementation (as also seen in
htpasswd) are dated and should be updated to current standards.

I do understand that there are crypto and hash libraries that support dozens
of digests, but I'm just talking about the most used ones these days.
(e.g. Linux also switched to sha256 in /etc/shadow a while back)

By not adding the new standards to APR, you basically force users to use old
and unsafe digests when using APR.
Now people have to use sha1 (for the passwords on disk) to secure their web
sites via htpasswd. Do you really think that this is the proper course of action?

Also, the longer you don't give admins the tools to use safer digest, the
longer it will take to actually do so. You deadlock advancement.

Cheers,
 Helmut

P.S.: Can the owner of the mailing list please add the list's address as the
reply-to field?

-- 
regards Helmut K. C. Tessarek
lookup http://sks.pkqs.net for KeyID 0xC11F128D

/*
   Thou shalt not follow the NULL pointer for chaos and madness
   await thee at its end.
*/

Mime
View raw message