active_hashcash
active_hashcash copied to clipboard
Replace JS implementation of SHA1 with SubtleCrypto
Reimplementing the hashing algorithm in JavaScript (see Hashcash.sha1
) renders this library vulnerable to one specific attack: An attacker could fork this library and use a faster implementation of SHA1 and address all users of active_hashcash
.
I'd like to suggest that we replace the custom SHA1 implementation with one of the Web Crypto API. I suspect this is rather easy and would give 10-20 times more protection according to your note in the README.
The hashing function to be used would probably be the one with most widely-accessible onchip support and equal performance distribution.
If you want to dig deep, have a look at the testing distributions of SHA512. On that site I also found very interesting to look at what hash functions even exist.