Update SHA1 to SHA256 #819
Conversation
Updating the Data Cache to utilize a more up-to-date with security standards hashing algorithm. Tests have also been updated to utilize and confirm the functionality. All Tests passing
|
| /// | ||
| /// ```swift | ||
| /// print("http://test.com".sha1) | ||
| /// // prints "50334ee0b51600df6397ce93ceed4728c37fee4e" | ||
| /// print("http://test.com".256) |
There was a problem hiding this comment.
should it be /// print("http://test.com".sha256)?
|
Is there a performance difference when switching to sha256? How big? Is the hash even used for securing anything here? Those types of corporate policies are usually for password hashing. |
|
Hey, I just wanted to say that I saw the PR, and I agree that it's fair concern as .sha1 is now considered "Insecure". But I do share the same concerns as @fabianfabian. I begrudgingly switched from md5 to (slower) sha1 in one of the previous releases, and sha256 will likely be slower still.
No, but this type of tooling typically doesn't care. I've been thinking about switching to an SQLite-based cache that wouldn't require hashing. |
|
Yeah, from what I understood from the code itself there aren't any actual security concerns with this. It's only an issue for me as because it's included within the framework, and that gets picked up in the static scan that we run for security vulnerabilities. I believe our use case doesn't utilize this part of the code even, but our company's security policy is really strict that the inclusion of using SHA1 for something is not acceptable. We would love to use this framework as it's been extremely performant, but as it stands we can't because of the use of SHA1. Regardless, do whatever you think is best for it. 👍 |
Updating the Data Cache to utilize a more up-to-date with security standards hashing algorithm.
Tests have also been updated to utilize and confirm the functionality. All Tests passing
As an employee of a large corporation, I would love to utilize this library to load images as it is very performant. Unfortunately, based on our corporate security standards, we are unable to use this framework as it stands because it contains usage of an insecure hash function. This PR's goal is to update that hash function from SHA1 to SHA256, allowing it to adhere to current security standards and will make it so that it does not get flagged as a vulnerability within static scans of the framework