RequestValidator::computeSignature uses oudated sha1 hashing function

[greggles]

Version: 5.19.1+

Code Snippet

base64_encode(hash_hmac("sha1", $url, $this->authToken, true));

Feature Request

The computeSignature function uses sha1 to verify that incoming requests come from Twilio. The sha1 function is increasingly unsafe as collisions have been found. It will take a coordinated effort to migrate away from this function, so it seems worth starting.

[imthepitts]

Hi @greggles, thanks for checking with us.

We've discussed this with our security team and gotten some feedback. In short, the critical component of HMAC-SHA1 that distinguishes it from SHA-1 alone is the use of your Twilio AuthToken as a complex secret key, so while there are possible collision-based attacks on SHA-1 (and especially on MD5), HMACs are not affected by those same attacks - it's the combination of the underlying hashing algorithm (SHA-1) and the strength of the secret key (AuthToken) that protects you in this case. We are not using SHA-1 alone.

Hope that helps.

If you have further concerns, please contact our Support team: https://www.twilio.com/help/contact

Zack