Use Blake2 instead of MD5
igoose1 opened this issue · 1 comments
What's the point of md5 usage?
md5 was proofed to be insecure. It's possible to find collisions fast. A potential attacker theoretically can send unique query parameters which weren't present in the past but which will be cache-hit. Although, it's difficult for me to make up an example where this is a security breach, it's still possible in a complex system.
Probably, md5 was chosen because of its speed. At least, code owners look aware of an issue. Linter warnings are ignored with "noqa" comments.
Though key builder can be changed manually, I'm suggesting to change an algorithm in the library. Blake2 is a faster and secure hashing algorithm included in Python standard library.
Benchmarks:
from https://medium.com/logos-network/benchmarking-hash-and-signature-algorithms-6079735ce05
Update: I'm wrong with "A potential attacker theoretically can send unique query parameters which weren't present in the past but which will be cache-hit". Hashing is used only for code written by programmers. Then it's more difficult to make up a security issue here.