Replace SHA1 with a better algo in the auth challenge

kf6kjg / WHIP-LRU

WHIP-LRU is a WHIP-protocol-compatible asset cache and server for Halcyon-based servers, such as Inworldz.

MIT License

3 stars 2 forks source link

Replace SHA1 with a better algo in the auth challenge #8

Open kf6kjg opened 6 years ago

kf6kjg commented 6 years ago

The existing WHIP protocol specs using SHA1 for the challenge hashing. SHA1, along with MD5, are now considered "broken" and should be replaced. This will require changes to at least WHIP-LRU, Halcyon, and WHIP itself.

appurist commented 6 years ago

This only really applies to outward-facing services (exposed to users). Ideally eventually we do want assets to be provided directly from the asset servers, however those will almost certainly be unauthenticated anyway. Unless I'm missing something, the WHIP protocol is internal network comms, although this may be specific to InWorldz rather than all Halcyon installations.

kf6kjg commented 6 years ago

That is correct, but having to hit "Ignore" on every code analysis tool is annoying. Hence this is currently targeted at milestone 2.0 - off in the future somewhen. :)