Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 79698 invoked from network); 6 Jan 2009 13:02:54 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 Jan 2009 13:02:54 -0000 Received: (qmail 23625 invoked by uid 500); 6 Jan 2009 13:02:47 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 23577 invoked by uid 500); 6 Jan 2009 13:02:47 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 23566 invoked by uid 99); 6 Jan 2009 13:02:47 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Jan 2009 05:02:47 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of funkman@joedog.org designates 204.74.20.252 as permitted sender) Received: from [204.74.20.252] (HELO sid.armstrong.com) (204.74.20.252) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Jan 2009 13:02:39 +0000 Received: from [10.38.20.119] (tafunk-lt.americas.armstrong.com [10.38.20.119]) by sid.armstrong.com (8.13.6/8.12.8) with ESMTP id n06CvRCR029946 for ; Tue, 6 Jan 2009 07:57:27 -0500 Message-ID: <49635658.8040800@joedog.org> Date: Tue, 06 Jan 2009 08:02:16 -0500 From: Tim Funk Organization: Human Being User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: Why are manager session tokens generated with MD5 by default? References: <48B7402F.6090109@forkbolt.net> <48B74DDF.5020703@joedog.org> <49627AFD.8080905@forkbolt.net> In-Reply-To: <49627AFD.8080905@forkbolt.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Just turning the random number into a session id should sufficient and we can forget the MD5 altogether. But if someone figures out the seed and can guess future subsequent numbers, then they can guess future session ids. By using a hashing algorithm - it makes it impossible to guess what numbers came from the random number generator. If MD5 is so broken that a person can piece together a long enough sequence of numbers to figure out the seed - and guess future session ids - then we need to replace it. But MD5 is not that broken. -Tim Minoo Hamilton wrote: > I'd like to re-raise an issue, since I didn't get too much of a > response, originally. Who can I talk to to lobby to get the default > behavior of using MD5 session token hashes to change? If you weren't > aware of it, there has been a recent and highly-publicized breaking of > SSL, by creating a rogue certificate authority, using collisions in > MD5. Creating collisions in MD5 are no longer a "highly theoretical" > attack for potential session hijacking. I'd very much like to see the > default behavior of Tomcat session tokens become more secure by default > (possibly SHA-256). I think the default hashing algorithm should not be > a known broken and insecure one. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org