php-ssh-connection icon indicating copy to clipboard operation
php-ssh-connection copied to clipboard

Published 20 hours ago verified publisher icon DivineOmega

Using secure fingerprint hash approach

Open peter279k opened this issue 5 years ago • 3 comments

As title, it seems that we use MD5 and SHA-1 hashes for the connection fingerprint.

But they're not safe because of collision.

To be secure, I think we can use the SHA-2, SHA-3 or bcrypt (password_hash) to replace original hash approaches.

@DivineOmega, what do you think about that? Thanks.

peter279k avatar Mar 16 '20 06:03 peter279k

@peter279k I'd be happy to accept a PR that adds all these algorithms as options.

I'd suggest we keep the current default for now though, and perhaps do a later breaking release to change it.

DivineOmega avatar Mar 18 '20 09:03 DivineOmega

Hi @DivineOmega, thanks for your reply.

Perhaps we can consider add this to be the 2.0 version release milestone.

What do you think about this idea?

peter279k avatar Mar 23 '20 16:03 peter279k

@peter279k We're already at v2.1.0, but yes. We could make it v3.0.0.

I'd suggest we add the new fingerprint algorithms with the default kept the same, and release that as v2.2.0. Immediately after that, we can set the default to a more secure algorithm and release that as v3.0.0.

DivineOmega avatar Mar 23 '20 23:03 DivineOmega