[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] [bug #51666] Please hash the hostname in ~/.wget-hsts files

From: Tim Ruehsen
Subject: [Bug-wget] [bug #51666] Please hash the hostname in ~/.wget-hsts files
Date: Fri, 24 Aug 2018 04:46:49 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0

Follow-up Comment #5, bug #51666 (project wget):

Thanks for addressing the issue.

Saving the salt together with the (salted) hash isn't of big help when we talk
about a limited set of input strings. You can get complete lists of existing
domains and brute force through them in a few seconds. Can even be optimized
by starting with the top 1m domains. I just mention this to make clear that
this way of obscuring is far from being safe. It is just slightly more effort
to reverse the domain names in comparison to unsalted hashes.

Anyways, it helps from being fly-by looked at, e.g. on the console.

I would like to ask you to not use OpenSSL for hashing. We have/use the SHA256
digest functions from gnulib anyways. So it should be straight forward.


Reply to this item at:


  Message sent via Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]