apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Helmut Tessarek <tessa...@evermeet.cx>
Subject Re: digest functions and validation - part 2
Date Mon, 05 May 2014 07:21:23 GMT
I really would like to know, if and why the httpd and apr developers think
that md5 and sha1 are safe choices to be used for hashing passwords.

On 02.05.14 21:29 , William A. Rowe Jr. wrote:
> I would suggest that is a role for more cryptographic or hash provider
> libraries.  These were included based on their prevalence in web and similar
> protocols, not for cryptographic strength.

I agree to a certain degree, but the use of digests has shifted over the past
few years. While md5 and sha1 have been used to store passwords in tables or
files for web access in the past, now bcrypt and sha256/sha512 are used.

I'm just saying that the current digest implementation (as also seen in
htpasswd) are dated and should be updated to current standards.

I do understand that there are crypto and hash libraries that support dozens
of digests, but I'm just talking about the most used ones these days.
(e.g. Linux also switched to sha256 in /etc/shadow a while back)

By not adding the new standards to APR, you basically force users to use old
and unsafe digests when using APR.
Now people have to use sha1 (for the passwords on disk) to secure their web
sites via htpasswd. Do you really think that this is the proper course of action?

Also, the longer you don't give admins the tools to use safer digest, the
longer it will take to actually do so. You deadlock advancement.


P.S.: Can the owner of the mailing list please add the list's address as the
reply-to field?

regards Helmut K. C. Tessarek
lookup http://sks.pkqs.net for KeyID 0xC11F128D

   Thou shalt not follow the NULL pointer for chaos and madness
   await thee at its end.

View raw message