diffupdates icon indicating copy to clipboard operation
diffupdates copied to clipboard
verified publisher icon ameshkov

Move from SHA1 to SHA256

Open jvoisin opened this issue 2 years ago • 1 comments

It's absolutely not critical, since SHA1 is only used for cache invalidation, but it would still be a good idea to move to SHA256:

  • Both are natively supported in web browsers
  • SHA1 shouldn't be used anymore:
    • SHA1 has been broken in 2020
    • SHA1 is deprecated since 2011 and scheduled for deletion by 2023 the NIST
    • All major vendors ceased acceptance of SHA-1 SSL certificates in 2017.
    • Odds are that it's going to be phased out by web browsers, except for some legacy usages
  • SHA256 is roughly as fast if not faster than SHA1
    • SHA256 is faster than SHA1 in openssl
    • SHA256 is almost as fast as SHA1 on a nodejs from Apr 2022
    • While there are instructions on x86 to speed up both SHA1 and SHA256, odds are that the SHA1 will get deprecated, or at least not improved, while the SHA256 ones will.
Local benchmarks ```console $ openssl speed sha1 sha256 The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes sha1 327375.88k 845549.18k 1661196.46k 2138193.24k 2340312.41k 2455983.45k sha256 309979.54k 752303.40k 1443518.89k 1855458.65k 2044474.71k 2044116.99k ``` 
$ cat ./bench.js
const fs = require('fs');
const data = fs.readFileSync('./easylist.txt', 'utf8');

const Benchmark = require('benchmark');
const suite = new Benchmark.Suite;
const hash = require('crypto').createHash;
const scenarios = [
  { alg: 'sha1', digest: 'hex' },
  { alg: 'sha1', digest: 'base64' },
  { alg: 'sha256', digest: 'hex' },
  { alg: 'sha256', digest: 'base64' }
];
for (const { alg, digest } of scenarios) {
  suite.add(`${alg}-${digest}`, () => 
     hash(alg).update(data).digest(digest)
  );
}
suite.on('cycle', function(event) {
  console.log(String(event.target));
})
.on('complete', function() {
  console.log('Fastest is ' + this.filter('fastest').map('name'));
})
.run();
$ nodejs bench.js 
sha1-hex x 691 ops/sec ±0.56% (95 runs sampled)
sha1-base64 x 689 ops/sec ±1.39% (95 runs sampled)
sha256-hex x 575 ops/sec ±4.05% (84 runs sampled)
sha256-base64 x 624 ops/sec ±1.86% (89 runs sampled)
Fastest is sha1-hex
$ nodejs --version
v12.22.12
$
</details>

jvoisin avatar Dec 15 '23 22:12 jvoisin

I'll keep it open, we'll consider changes to the spec later when we have more real-life experience with how it works.

ameshkov avatar Dec 24 '23 15:12 ameshkov