session icon indicating copy to clipboard operation
session copied to clipboard
verified publisher icon expressjs

changed the hashing algorithm from sha1 to sha256 due to security problems

Open lucianidev opened this issue 1 year ago • 4 comments

hello, in the issue #989 the user references a vulnerability in the hashing algorithm sha1. The hashing method resulted vulnerable to hash collision, making it insecure. I changed the hashing method from sha1 to sha256 making it more secure. Tell me about any problems. I hope you have a good day

Documentation: https://crypto.stackexchange.com/questions/48289/how-secure-is-sha1-what-are-the-chances-of-a-real-exploit https://www.quora.com/How-secure-is-SHA1-What-are-the-chances-of-a-real-exploit https://stackoverflow.com/questions/38038841/why-is-sha-1-considered-insecure

lucianidev avatar Jul 12 '24 10:07 lucianidev

sha1 is being used as a fast and efficient hash to detect changes in the session object

It is not cryptographically relevant, nor used for signing purposes.

jonchurch avatar Sep 07 '24 18:09 jonchurch

Hello team, is this going to be addressed at some point soon? Session is being reported as vulnerability by monitoring tools because of its use of sha1.

krko12345 avatar Sep 27 '24 02:09 krko12345

One option would be to allow the user to choose which hashing algorithm to use

bjohansebas avatar Feb 10 '25 00:02 bjohansebas

@bjohansebas I wouldn't accept that change personally. Adding an additional config for internals of the library that consumers don't have to worry about is net negative IMO.

I understand that some automated security tools flag SHA-1 as a general vulnerability, but in this specific case, it’s a false positive. Switching to SHA-256 would introduce unnecessary overhead without adding security benefits.

jonchurch avatar Feb 11 '25 22:02 jonchurch