From: Eric Wong <normalperson@...>
Date: 2017-09-19T16:55:26+00:00
Subject: [ruby-core:82879] Re: [Ruby trunk Feature#11365][Closed] Change Webrick to support SHA htpasswd files

merch-redmine@jeremyevans.net wrote:
> Apache labels the SHA1 support "insecure".  It's unsalted, so
> weak passwords would fall quickly to a rainbow table attack.
> While the first SHA1 collision attack was reported earlier
> this year, I don't believe anyone has shown an SHA1 preimage
> attack (where you can find a matching password given the
> hash), so it isn't truly insecure for very strong passwords
> (say 12 random characters).

If there are real users of SHA1, there could still be a case for
adding support for it in WEBrick for Apache compatibility; but
maybe there aren't any users...  We can do it if people ask
for it...

> Anyway, things have changed since I first put together this
> patch. I no longer think it makes sense to add support to
> Webrick for anything besides bcrypt.  Because bcrypt isn't
> currently in the stdlib, I think this can be closed.

Maybe we can support bcrypt as an optional dependency and issue
a warning when trying to read an htpasswd file w/o bcrypt
available.

Thanks.

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>