higher entropy for security or privacy related tokens (!709) · Merge requests · foodsharing-dev / foodsharing

chandi requested to merge audit/increase-entropy into master Feb 18, 2019

What does this MR do?

currently there is mostly uniqid() used for generating secret tokens, which is basically just the time in microseconds.

If we know the execution time for generating an password-request-token with ±10ms precision, we only need to try <20.000 times to take over an account.

less critical, but privacy relevant: Email-Attachments, cache-index,...

How confident are you it won't break things if deployed?

pretty

Checklist

no unrelated changes
asked someone for a code review
joined #foodsharing-beta channel at https://slackin.yunity.org
added an entry to CHANGELOG.md (description, merge request link, username(s))

Edited Feb 18, 2019 by chandi

higher entropy for security or privacy related tokens

What does this MR do?

How confident are you it won't break things if deployed?

Checklist

Merge request reports