#14445: Use HMAC and constant-time comparison functions where needed in Django ---------------------------+------------------------------------------------ Reporter: lukeplant | Owner: nobody Status: new | Milestone: Component: Uncategorized | Version: 1.2 Keywords: | Stage: Unreviewed Has_patch: 0 | ---------------------------+------------------------------------------------ Various places in Django use MD5/SHA1 based methods as a kind of MAC (Message Authentication Code). HMAC is a much better alternative.
In most cases, we need to maintain backwards compatibility with existing signed values, by falling back to the existing MD5/SHA1 method. This means we will continue to have potential weaknesses, but by only generating HMACs from now on, we can phase out support for these old values over time, using the normal deprecation method. This should give plenty of time for the old hashes to expire naturally anyway. In addition, in all these places, and some others, the MACs are tested for validity using simple string equality, which potentially opens us up to timing-based attacks to discover the tokens. -- Ticket URL: <http://code.djangoproject.com/ticket/14445> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.
