bigbluebutton-api-php icon indicating copy to clipboard operation
bigbluebutton-api-php copied to clipboard

Published 20 hours ago verified publisher icon bigbluebutton

Use SHA-256 instead of SHA-1

Open KimBrodowski opened this issue 5 years ago • 2 comments

Apparently BBB supports SHA-256, which happens to be much more secure than SHA-1. Since clients may come in contact with URLs containing a checksum, especially with join URLs, I strongly suggest a simple upgrade to SHA-256.

TLS does not protect against clients deriving the secret from the checksum eventually.

Upgrading to SHA-256 of course doesn't fully solve the underlying issue, nor does it solve the issue of replay attacks. A single-use token based approach for untrusted clients would provide better security in the future.

I don't really know since when BBB supports SHA-256. It might be a good idea to provide a fallback SHA-1 option.

https://github.com/bigbluebutton/bigbluebutton-api-php/blob/68af8b2a54481857c914fcc801d488e51b641024/src/Util/UrlBuilder.php#L72

KimBrodowski avatar May 25 '20 12:05 KimBrodowski

For a discussion of SHA-1 in BBB see https://github.com/bigbluebutton/bigbluebutton/issues/9634

KimBrodowski avatar May 25 '20 12:05 KimBrodowski

Hi @KimBrodowski the API should be able to use both of sha1 and sha256. We will update it to use any of them by configuration. Any suggestion?

GhaziTriki avatar Jun 02 '20 15:06 GhaziTriki