On 08/31/2012 08:41 AM, Raphael Hertzog wrote: > What openly available data are you referring to?
The hash calculated in django-registration is send out to people registering a new account, as part of the url to click on when confirming the registration of a new account. It is used as identifier in the communication. So if you are able to calculate a collision in it, you might do things like: - register an account on a non-existing e-mail address - register an account on the e-mail address of somebody else - confirm a registration request of somebody else Note the contrast with the use of hashes in the password storage (the use of SHA1 that is depreciated in Django 1.4). In a password storage the use of hashes is a second line of defense: to avoid compromise of the passwords after a compromise of the database. The use of hashes in django-registration is first line of defense. Calculating a collision with SHA1 is demonstrated in proof of concept. Right now it would probably still be impossible or at worst not be practical to launch such an attack against django-registration. But because cryptographic weaknesses tend to become more and more exploitable over time, I regard the use of SHA1 in python-django-registration 0.7.1 as a ticking time bomb. Winfried -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org