[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] [bug #51666] Please hash the hostname in ~/.wget-hsts files
|
From: |
Tim Ruehsen |
|
Subject: |
[Bug-wget] [bug #51666] Please hash the hostname in ~/.wget-hsts files |
|
Date: |
Fri, 24 Aug 2018 04:46:49 -0400 (EDT) |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0 |
Follow-up Comment #5, bug #51666 (project wget):
Thanks for addressing the issue.
Saving the salt together with the (salted) hash isn't of big help when we talk
about a limited set of input strings. You can get complete lists of existing
domains and brute force through them in a few seconds. Can even be optimized
by starting with the top 1m domains. I just mention this to make clear that
this way of obscuring is far from being safe. It is just slightly more effort
to reverse the domain names in comparison to unsalted hashes.
Anyways, it helps from being fly-by looked at, e.g. on the console.
I would like to ask you to not use OpenSSL for hashing. We have/use the SHA256
digest functions from gnulib anyways. So it should be straight forward.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?51666>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/