snapview/tungstenite-rs

Replace sha1 as sha1 is Cryptographically Broken

HatkarK opened this issue · 1 comments

HatkarK commented

As we know sha1 is Cryptographically Broken, shouldnt it replaced with sha2 or something here.
https://crates.io/crates/sha1

daniel-abramov commented

We do not use sha1 for cryptography. We only use it to comply with the WebSocket RFC 6455 when generating the SHA-1 hash during the WebSocket handshake, this does not have any security implications.

As per RFC:

The WebSocket handshake described in this document doesn't depend on
   any security properties of SHA-1, such as collision resistance or
   resistance to the second pre-image attack (as described in
   [[RFC4270](https://www.rfc-editor.org/rfc/rfc4270)]).