Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
4 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6acd337
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’m confused as to why this change is good. What is different about the hmac implementation in OpenSSL that makes it better?
Also please can we ditch @env.HTTP_USER_AGENT? It stops flash applets from being able to communicate with camping apps by killing their session, and presumably does the same to java. I’ve had to make my own http_user_agentless secure_blob_hasher to get flash to work with my camping webapp, where I use a flash applet to upload pictures, which was annoying and confusing. :/
6acd337
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cryptology is pretty hard, and doing hash(key + data) has proved to be insecure: http://en.wikipedia.org/wiki/HMAC#Design_Principles
We’re not aiming for prefect security, but when can get a better solution for free I’m not complaining :-)
USER_AGENT is probably a good idea to remove, though!
6acd337
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm… Fair enough! _
Doesn’t that algorithm require two different secret keys though? Do we know that the implementation in OpenSSL is strong? I would have thought everything in SSL would be incredibly outdated and ancient.