[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks
WordPress Trac
noreply at wordpress.org
Wed Mar 6 10:27:49 UTC 2019
#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+-----------------------
Reporter: paragoninitiativeenterprises | Owner: pento
Type: enhancement | Status: assigned
Priority: normal | Milestone: 5.2
Component: Upgrade/Install | Version: 4.8
Severity: critical | Resolution:
Keywords: has-patch | Focuses:
------------------------------------------+-----------------------
Comment (by paragoninitiativeenterprises):
It's incredibly unlikely that the SHA2 family of hash function is going to
be broken anytime soon.
That being said, if it does, I don't suspect SHA512/224 (collision
resistance of 112 bits) will fare much better than SHA384 (collision
resistance of 192 bits).
https://3v4l.org/l9TVZ
For PHP 7.1 and newer, `sha3-256` (or `sha3-384` for consistency) would
make a better alternative, due to how different SHA3 is than SHA2.
But otherwise, yes, having the machinery in-place to upgrade the hash
function used (e.g. via multisig) is a good idea. I don't anticipate
SHA384 having a security reduction to less than 100 bits until practical
quantum computers are developed.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:60>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list