SHA1 cracked .... What are the chances this will be addressed in LC?

Richard Gaskin ambassador at fourthworld.com
Fri Feb 24 11:28:59 EST 2017


As much as I enjoy chatting with other users, a while back I had hoped 
to make this more actionable by submitting an enhancement request for 
sha256:

http://quality.livecode.com/show_bug.cgi?id=14223

The challenge with satisfying that request is two fold:

- sha2 is not a single algo, but a family of algos, and requires new 
syntax forms that have to be thought out in addition to the more complex 
engineering work to support that new set of language design patterns.

- This chart shows that sha2 already has minor weaknesses, which will 
likely become more significant over time, suggesting we might already 
start looking at extending the afore-mentioned framework even further to 
include sha3 (and I suppose even be prepared for the inevitable sha4).
http://valerieaurora.org/hash.html

All that said, in light of the visibility of the issue after the recent 
Google research, I discussed this with a member of the core dev team 
yesterday, who will be evaluating the merit of this more comprehensive 
framework vs perhaps a simpler implementation of merely the most 
commonly-use sha2 flavor for now.

After that analysis is done I trust we'll get an update on that soon.

For now, just rest assured that they read the same security bulletins we 
do (Peter tends to read more than me, so I always pick up a trick or two 
talking with him about security), and are actively exploring options for us.

-- 
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for Desktop, Mobile, and Web
  ____________________________________________________________
  Ambassador at FourthWorld.com        http://www.FourthWorld.com




More information about the Use-livecode mailing list