Closed FinnRG closed 1 year ago
Hmm, where did you see that HMAC-SHA1 is insecure? I was under the assumption it's still fine (although HMAC-SHA256 might be even better). Just curious...
I probably should have said less secure. It's not broken (even HMAC-MD5 isn't broken to my knowledge), but it's not recommended anymore and considering how easy it is for us to change the algorithm, there's no reason to use HMAC-SHA1.
That is true. I changed the algorithm once already (from plain SHA1 to HMAC-SHA1, IIRC), and I tried to make it so that it can be changed in the future, because crypto algorithms are always changing.
We are currently using HMAC-SHA1, which is considered outdated and insecure. We should switch to SHA-256.