Comments (2)
Hi SakuraLove,
I just noticed your issue was closed without any responses. Sorry to see that there weren't any responses at an earlier time (I'd assumed that someone would've piped in).
I guess the issue is either resolved or not important now, seeing as the issue has been closed, but I'll try to answer anyhow.
It's difficult to say exactly whether using SHA1 for your API will be safe or unsafe, without knowing the exact context of its use, how it's being used and so on. Generally though, compared to other, newer hashing algorithms, SHA1 isn't considered safe anymore, due to that it has recently left the club of hashing algorithms without known collisions and entered the club of hashing algorithms with known collisions (so, officially unsafe, in that regard). It's possible that your own implementation won't run into any specific security problems, but seeing as it's now officially unsafe, I can't say with any certainty that any unknown implementation of it would be safe.
Also see:
- At death’s door for years, widely used SHA1 function is now dead
(Actually not technically "dead", seeing as it is actually actively being used extensively throughout the internet to this day and currently, including by Git, for signing commits, but its status of being considered secure could be considered "dead", so, whatever). - Google Just Cracked the Widely Used SHA-1 Function – It’s Now “Officially” Unsafe
- SHAttered.io website
- The first collision for full SHA-1 (PDF)
from api-security-checklist.
Thank you anyway.I notice that nobody answered this issue so I closed it .
Yes,It has never been safe.I noticed that Google's team has cracked the SHA-1 Function some months ago.
I will also try to use the newer hasing and encrypt the trade info by AES.
And the API is using HTTPS to send information , too.
Our team is also discussing the security.And my project met a big problem now :(
However,thank you very much for answering me.Have a nice day.
from api-security-checklist.
Related Issues (20)
- Should add "Content-Disposition" to response header?
- Serbian translations HOT 1
- Should mention CORS
- In "README.md", "簡" should be “简”. HOT 3
- Question about "Don't auto-increment IDs. Use UUID instead." HOT 4
- "algorithm" in the JWT HOT 4
- Please pay attention to this repo again HOT 1
- Why "User own resource ID should be avoided. Use /me/orders instead of /user/654321/orders." ? HOT 4
- JWT token should be stored securely if they are used as auth for browser users.
- ## Query HOT 1
- Api
- OAuth referred to as AuthN HOT 5
- request integrity & replay HOT 1
- Cyber security HOT 1
- HTTP Headers
- Aps security
- Expand on the authentication suggestion
- Why should not use Auto Increment IDs and Use UUIDs instead? HOT 14
- Og
- Security Headers
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from api-security-checklist.