[dev] [commits] Horde branch master updated. 0ab877c762ed591254793fdeb8840a27087b0c5e
Michael M Slusarz
slusarz at horde.org
Thu Mar 13 05:46:01 UTC 2014
Quoting Michael M Slusarz <slusarz at horde.org>:
> commit 2d91444b8cb4a63a67355fcd3eb28af6b497b4c0
> Author: Michael M Slusarz <slusarz at horde.org>
> Date: Wed Mar 12 02:27:59 2014 -0600
>
> Another place to change hash algorithm
>
> framework/Imap_Client/lib/Horde/Imap/Client/Base.php | 5 ++++-
> 1 files changed, 4 insertions(+), 1 deletions(-)
>
> http://github.com/horde/horde/commit/2d91444b8cb4a63a67355fcd3eb28af6b497b4c0
> http://git.horde.org/horde-git/-/commit/2d91444b8cb4a63a67355fcd3eb28af6b497b4c0
I have mentioned this before in commit messages ... but MD5 has been
proven to be inadequate for hashing purposes due to collision issues.
See, e.g.:
http://www.mscs.dal.ca/~selinger/md5collision/
I've personally changed code to use either SHA-1 (unfortunately much
slower than MD5, and larger output, but collision resistant and should
always be available in PHP) or FNV-1(32 bit) (only available on PHP
5.4+, faster than MD5, designed specifically as non-crpytographic
hash, low collision rate).
Would be better to use FNV-1a than FNV-1, but due to oversight this
was left out of hash() and my patch to add won't show up until PHP
5.6. Even better would be xxhash, but this would require the
installation of a PHP module.
Granted, there's still going to be a low rate of collisions using MD5,
but all it takes is one collision to potentially leak something like,
say, cached e-mail message data. So better safe than sorry.
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the dev
mailing list