XSF Discussion - 2022-10-21

  1. moparisthebest

    looks like a fair number of XEPs specify sha3... yikes https://mouha.be/sha-3-buffer-overflow/

  2. moparisthebest

    a quick grep shows 300, 385, 390, 414, 447, 448

  3. Kev

    That's not a SHA-3 issue, though, but a bug in the implementation, isn't it?

  4. Menel

    I read that but didn't get it.. Is it a C issue, or inherent to sha3

  5. moparisthebest

    the reference implementation that most implementations copied

  6. moparisthebest

    it's a C issue that affects every language that uses C libraries that copied it, PHP, Python, probably more

  7. Kev

    > the reference implementation that most implementations copied Sure, and we should care a great deal about vulnerabilities in openssl, too, but we wouldn't stop recommending TLS because of them, I think.

  8. moparisthebest

    right I'm not saying sha3 is insecure and needs abandoned, I'm saying anyone using it should check their implementation :)

  9. moparisthebest

    (and stop writing C lol)

  10. Kev

    Oh, wow. It was only fixed yesterday, and disclosure today.

  11. Kev

    And XKCP has no official releases?

  12. Daniel

    Luckily my Java / android stack doesn't even support sha3 yet

  13. singpolyma

    Still trying to get people off sha1 half the time