tghosth
commented
2 years ago It looks to me like v6, v7 and v8 are not designed to be fully random like v4 is so I don't think we would allow them. What do you think?
Closed Sjord closed 2 years ago
tghosth
commented
2 years ago It looks to me like v6, v7 and v8 are not designed to be fully random like v4 is so I don't think we would allow them. What do you think?
Sjord
commented
2 years ago UUID v4 contains 122 bits of randomness. UUID v7 contains 74 bits of randomness and a timestamp in milliseconds of 48 bits. That's less random, but still firmly in the territory of unguessable within reasonable times. It could be acceptable in some cases. Of course, it's easier and safer to only allow UUID v4. But if some application is using UUID v7 for an identifier, I wouldn't call it vulnerable in any way.
tghosth
commented
2 years ago I don't think it is just a question of guessability but also information disclosure. It looks like it is clear from a UUIDv7 when the UUID was generated.
Sjord
commented
2 years ago I hadn't considered that. Let's keep with UUID v4 for now.
ASVS 6.3.2 says
IETF is working on proposing new UUID versions, which may also be acceptable. We should evaluate these and consider allowing them in this ASVS requirement.