You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The computeSignature function uses sha1 to verify that incoming requests come from Twilio. The sha1 function is increasingly unsafe as collisions have been found. It will take a coordinated effort to migrate away from this function, so it seems worth starting.
The text was updated successfully, but these errors were encountered:
We've discussed this with our security team and gotten some feedback. In short, the critical component of HMAC-SHA1 that distinguishes it from SHA-1 alone is the use of your Twilio AuthToken as a complex secret key, so while there are possible collision-based attacks on SHA-1 (and especially on MD5), HMACs are not affected by those same attacks - it's the combination of the underlying hashing algorithm (SHA-1) and the strength of the secret key (AuthToken) that protects you in this case. We are not using SHA-1 alone.
Version: 5.19.1+
Code Snippet
Feature Request
The computeSignature function uses sha1 to verify that incoming requests come from Twilio. The sha1 function is increasingly unsafe as collisions have been found. It will take a coordinated effort to migrate away from this function, so it seems worth starting.
The text was updated successfully, but these errors were encountered: