Uploaded image for project: 'James Server'
  1. James Server
  2. JAMES-2201

Vulnerable to SHAttered attack

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: master
    • Fix Version/s: master
    • Component/s: mailbox
    • Labels:
      None

      Description

      Given the way SHA-1 is used to index attachments, it is vulnerable to the SHAttered attack (https://shattered.io/), meaning you can overwrite the attachment of a first email with a second email).

      It is not critical yet as it took a lot of computational power from Google to generate those 2 PDFs, but this issue will probably become widespread in coming years and I think switching to SHA-256 for instance is a low hanging fruit.

      The same problem arises with Cassandra blob IDs.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              thithib Thibaut SAUTEREAU
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: