Project

General

Profile

Actions

Feature #91554

open

Refactor SHA1 dependent components

Added by Tizian Schmidlin over 4 years ago. Updated almost 4 years ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Security
Start date:
2020-06-02
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

Hello there,

as lined out in this article, SHA1 will soon be dropped from SSH since the standard is considered prone to collisions.

I think, since we are in an early phase of TYPO3 11 developments, it would be good to deprecate all methods and classes related to sha1 (or even md5 for that matter) that are still available in core.

Challenges:
  1. TYPO3 uses the sha1 built-in PHP function 32 times, mentions "sha1" 35 as separate string (either array hash, value or function argument) thoughout the core (that's 10 more instances of sha1 being called and two instances less as a string mention than back in TYPO3 9.5)
  2. TYPO3 also still uses md5 functions around 169 times (!) in the core
  3. Cryptographically safer functions might create quite a strain on the servers running the new code (on my benchmarks, using hash('sha256' instead of sha1 was approximately 0.6% slower).
Chances:
  1. Ensure more cryptographically safe software
  2. Get rid of really old code
  3. (Bragging rights for being the first CMS to throw out all old and cryptographically unsafe functions from its core?)

Best Regards
Tizian

Actions

Also available in: Atom PDF