[Ur] Thoughts on cryptographic hashing for Ur/Web standard library?
Adam Chlipala
adamc at csail.mit.edu
Sat May 19 15:52:02 EDT 2018
After a busy semester, I am going through the backlog of Ur/Web issue
reports. I'm hoping to make a new Ur/Web release soon, and here is the
first in what may be a series of community queries, to decide whether
certain changes are appropriate.
It has been pointed out <https://github.com/urweb/urweb/pull/114> that
Ur/Web's Basis.crypt uses DES, a weak hashing approach by today's
standards. I can think of a few potential courses of action:
1. As in the linked PR, just add a comment essentially saying "hey,
this crypto isn't so great."
2. Switch to a different cryptosystem available in OpenSSL's libcrypto,
which is already linked with all Ur/Web apps.
3. Realize that literally no one is using this function and just delete
it from the standard library. (A less severe version is to ask a
small but nonzero-size user community to switch to using separate
libraries for this functionality.)
Any thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.impredicative.com/pipermail/ur/attachments/20180519/c279ce8f/attachment.html>
More information about the Ur
mailing list