On Mon, Jul 22, 2024 at 9:06 AM Derick Rethans <der...@php.net> wrote:

> - Deprecate md5(), sha1(), md5_file(), and sha1_file() (just says "large
>   impact")


About 1.2 million.
https://github.com/search?q=%28md5+OR+md5_file+OR+sha1+OR+sha1_file%29+language%3APHP+&type=code

The proposed deprecation of these functions in PHP due to their
cryptographic insecurities seems to overlook their valid non-cryptographic
applications. If we consider the context, the scope of cryptographic usage
is already quite specific. We're talking about end users who are rolling
their own security implementations and are unaware of the security risks
but somehow know how to use these functions without reading the
documentation and warnings.

The number of people who fall into this specific category is quite small.
Yet, this change is being proposed for their sake. It's important to note
that these same users could/will easily make other security mistakes
regardless of this deprecation.

On the other hand, who will be impacted by these deprecations? Potentially
everyone, as these are included in many projects and in many vendor
packages.  It's busy work for the people who aren't affected.  Sure,
eventually, it will all be sorted out as CI warnings slowly subside because
of this.

Reasons such as GIT and most cloud storages using these functions should be
enough to spare them. Example: https://rclone.org/overview/

The point is that there are several reasons in 2024 to use md5 and sha1.
Granted hashing passwords isn't one, but we're past that as a community
already. And for the few that aren't, I'd argue there is no saving.

Thanks,
Peter

Reply via email to