On Tue, Feb 18, 2020 at 3:31 AM Ram Rachum <ram.rac...@gmail.com> wrote:
> Hi guys, > > Recently I was working with Django's CSRF protection, customizing it to my > needs, and discussing with co-workers exactly how it works and how it has > protection against the BREACH attack being used to retrieve the CSRF key. > https://github.com/django/django/pull/11919#issuecomment-549000592 > Relevant code here: > https://github.com/django/django/blob/master/django/middleware/csrf.py#L45 > > One point of confusion is the use of the term salt in Django's source > code. People expect salt to mean the same as salt in the database, that > works quite differently and doesn't mask the actual secret. > > I'm not a security expert so I may be wrong, but I think that "One-time > pad", "XOR mask" or just "mask" would be more accurate terms. > > I propose to change the "salt" to "mask" everywhere these terms appear in > the CSRF code, and similarly "unsalt" to "unmask". As far as I know this > wouldn't affect functionality at all, because the term "salt" doesn't > appear in actual tokens. > > What do you think? > I think the term is accurate in the domain - https://en.wikipedia.org/wiki/Salt_(cryptography) - no need to rename it. > > Ram. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/3cf02beb-e292-4991-b75e-2f3f6e28d371%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/3cf02beb-e292-4991-b75e-2f3f6e28d371%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CA%2BFDnhKZdF2QbSy9cL643t9eugzHm6GMaeXtxFVCgHEvYHJwSQ%40mail.gmail.com.
