Add support for different hash functions
Please add support for different hash functions for the token.
A new url could look like this:
<hash_func> could be md5 or sha1 or something else
Updated by wienczny over 10 years ago
MD5 should be considered broken and should not be used for crypto any more. I don't know of any attack that directly affects the security of your tokens but it makes me feel queasy that a new attack might spit out the secret one day. To be prepared for that, it's better to be able to operate with different hash functions.
I don't want you to discard md5 by now. You could leave it as default when no hash function is given.
Updated by gstrauss over 2 years ago
- Status changed from New to Fixed
- Target version set to 1.4.x
mod_secdownload supports MD5 (the default), as well as HMAC-SHA1 and HMAC-SHA256 since lighttpd 1.4.38
secdownload.algorithm = <string> ("md5", "hmac-sha1", "hmac-sha256")
It is better to enforce the algorithm used with a server-side config option, rather than to have the client able to specify a (weaker) option.
Also available in: Atom