Any reason to not use SHA256 (or newer) for Signer / TimeStampSigner classess?

Cristiano Coelho

unread,

May 8, 2018, 6:44:05 PM5/8/18

to Django developers (Contributions to Django itself)

Looks like the Signer class (and perhaps other parts of the code) still use SHA1 ([1] and [2]) for the HMAC signing/hashing process.

I'm wondering if there's any specific reason to use SHA1 over newer versions, or if it would be worth it to pass the hash algorithm as a variable or even config option.

[1] https://github.com/django/django/blob/master/django/core/signing.py#L45
[2] https://github.com/django/django/blob/master/django/utils/crypto.py#L23

Tim Graham

unread,

May 8, 2018, 7:31:28 PM5/8/18

to Django developers (Contributions to Django itself)

There's a ticket about it: https://code.djangoproject.com/ticket/27468

Backwards compatibility is the main consideration.

Cristiano Coelho

unread,

May 9, 2018, 7:31:43 PM5/9/18

to Django developers (Contributions to Django itself)

Right, that backwards compatibility issue seems quite difficult to solve, although if the worst thing to happen is that all users are logged out, it shouldn't be that bad. Will read the ticket in detail.

Florian Apolloner

unread,

May 10, 2018, 11:38:41 AM5/10/18

to Django developers (Contributions to Django itself)

On Thursday, May 10, 2018 at 1:31:43 AM UTC+2, Cristiano Coelho wrote:

Right, that backwards compatibility issue seems quite difficult to solve, although if the worst thing to happen is that all users are logged out, it shouldn't be that bad. Will read the ticket in detail.

That is not the worst thing; it will invalidate __anything__ relying on signing. And even "just" log outs are a major issue for bigger sites.

Reply all

Reply to author

Forward