It's also worth noting that the correct time to switch is not when something is broken, it's well before then.
Alex On Wed, Mar 15, 2017 at 5:14 PM, Paul Kehrer <paul.l.keh...@gmail.com> wrote: > Echoing Alex's comments, SHA1's problems do not affect HMAC constructions > so there's no current security issue. That said, optics in cryptography can > be important (as you're seeing with your user requests now). You will save > yourself a great deal of low grade noise in the future by simply switching > now. > > On March 15, 2017 at 1:53:24 PM, Alex Gaynor (alex.gay...@gmail.com) > wrote: > > Hi David, > > You're correct that HMAC's security is still fine when used with SHA-1, > HMAC-MD5 is even secure believe it or not. > > That said, I'd generally recommend people migrate to HMAC-SHA-256 > anyways, to make analyzing their software easier. > > Alex > > On Wed, Mar 15, 2017 at 1:48 PM, David Lord <david...@gmail.com> wrote: > >> Hello cryptography, >> >> Over at the Flask repos, we've had a number of requests to use SHA-256 >> instead of SHA-1 in a couple places. >> Werkzeug defaults to SHA-1 as part of PBKDF2 to generate password hashes. >> ItsDangerous defaults to SHA-1 as part of HMAC signatures. >> >> After some discussion I concluded that as used in those two methods, >> SHA-1's collision issues were not relevant. >> However, I'd like to get a second opinion from the cryptography experts. >> >> I can change the default to SHA-256, but if it's not actually making >> things more secure then that's just increasing time and space for no reason. >> >> Thanks, >> David >> >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev@python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev >> >> > > > -- > "I disapprove of what you say, but I will defend to the death your right > to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > "The people's good is the highest law." -- Cicero > GPG Key fingerprint: D1B3 ADC0 E023 8CA6 > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
