Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Using md5 instead of crc32 for ETags #1435

rlidwka opened this Issue · 3 comments

3 participants


Currently express.js uses crc32 for ETags and generates them only if a body is larger than 1024 bytes.

I wanted cryptographically secure ETags for my app, so I did some benchmarks: (shitty benchmark:

It turns out that native md5 implementation with openssl is as fast as crc32.js when we deal with 1024-bytes strings (7µs vs 9µs), and it is two times faster when we deal with large files (0.8ms vs 1.8ms on 2MB file). It sucks with 10-bytes string because of the C++ barrier, but we don't calculate them on 10-bytes responses, do we?

So, I'd suggest to change default ETag algorithm to require('crypto').createHash('md5').update(string).digest('hex') because it's faster, more secure and supported by node.js core team. Also, this way you can get rid of crc dependency in express (though it's still used in connect and seem to make sense there).

PS: tested on node-0.8.14


Oh yeah, crypto lib is actively supported by node.js core team, and it's exactly why it's going to be 6 times slower in 0.9. :)

Well... nevermind then.

@rlidwka rlidwka closed this
@dougwilson dougwilson reopened this
@dougwilson dougwilson self-assigned this

i think we should either use sha256 because sha1 and md5 are old, or we should stick to crc32 and make it configurable.


stick to crc32 and make it configurable.

this is what i'm working on ;)

@dougwilson dougwilson was unassigned by rlidwka
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.