-
moparisthebest
looks like a fair number of XEPs specify sha3... yikes https://mouha.be/sha-3-buffer-overflow/
-
moparisthebest
a quick grep shows 300, 385, 390, 414, 447, 448
-
Kev
That's not a SHA-3 issue, though, but a bug in the implementation, isn't it?
-
Menel
I read that but didn't get it.. Is it a C issue, or inherent to sha3
-
moparisthebest
the reference implementation that most implementations copied
-
moparisthebest
it's a C issue that affects every language that uses C libraries that copied it, PHP, Python, probably more
-
Kev
> the reference implementation that most implementations copied Sure, and we should care a great deal about vulnerabilities in openssl, too, but we wouldn't stop recommending TLS because of them, I think.
-
moparisthebest
right I'm not saying sha3 is insecure and needs abandoned, I'm saying anyone using it should check their implementation :)
-
moparisthebest
(and stop writing C lol)
-
Kev
Oh, wow. It was only fixed yesterday, and disclosure today.
-
Kev
And XKCP has no official releases?
-
Daniel
Luckily my Java / android stack doesn't even support sha3 yet
-
singpolyma
Still trying to get people off sha1 half the time