oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses

From: Solar Designer <solar () openwall com>
Date: Thu, 26 Sep 2024 21:11:39 +0200
Hi LinkinStar,

There were several more replies from others, please see in the list
archive if you're not subscribed:

https://www.openwall.com/lists/oss-security/

On Thu, Sep 26, 2024 at 10:10:38AM +0800, LinkinStar wrote:

Because *Gravatar recommends using sha-256*, we believe there must be a
reason for its modification. Since the official recommendation is to change
the encryption method, why not implement it according to the official
requirements? You must admit that sha-256 is more difficult than md5, even
if only slightly. Although this may not completely solve the problem, I
believe following the official recommendation would be marginally better,
wouldn't it? So I think this fix itself is acceptable.


The change is fine - just don't call it a security fix.  Also, this is
hashing and not encryption.

Others pointed out that Gravatar's recommendation is just that - not a
specification - so unless you need interoperability with other servers
implementing Gravatar, you can do better than SHA-256.  Specifically,
use of a keyed hash such as HMAC-SHA256 was suggested and makes sense to
me - as long as the key is generated from a CSPRNG (such as
/dev/urandom) and is large enough (such as 32 bytes).

Alexander
Previous By Date Next
Previous By Thread Next

Current thread: