SHA1 has been compromised

[JacksonGL]

Report of a potential security vulnerability: by default, this package uses SHA-1 (code location) for authentication, which has been compromised (link) two months ago.

[mikeal]

Per spec, do all other implementation have to support another hashing algorithm?

[JacksonGL]

No, that's why its an opportunity to make this package safer than the other implementations. Plus SHA-1 may be deprecated in the near future if the practical attack is revealed.

[mikeal]

@JacksonGL my concern is that updating it would make it incompatible with those other implementations. if they don't support other hashing standards then we're breaking compatibility with those servers.

That said, we should add optional support for another hashing algorithm ASAP. At some point in the future we can consider a breaking change that would modify the default algorithm.

[JacksonGL]

Yes. It would be great to add such an optional support.

[jstlns]

I would be fine with a major version bump to make SHA256 the default. I expect most places to move away from SHA-1 and may be forced to by security audit tools. Or find a different library.

[mikeal]

I had a conversation with @hueniverse (author of OAuth) about this and the threat is a little exaggerated in this specific use case.

At this point I don't think it's reasonable to change the default. I'm all for adding the option though.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[shankarkrupa]

Nexus.IQ reports this as an issue sonatype-2017-0655 preventing it from deploying in highly secured environments. Please consider reopening the issue.

[ananthakumar25]

As part of security analysis from Sonatype Nexus.IQ , this is an severe issue as it reports "The request package is vulnerable to Weak Authentication Algorithm. The function function in oauth.js uses SHA-1 for authentication which is no longer considered cryptographically secure." - This is preventing the code promotion to higher environment.

Could you please consider reopening this issue?

[mikeal]

request is deprecated and is no longer shipping new releases.

[ananthakumar25]

request is deprecated and is no longer shipping new releases.

Do you have any alternate packages or versions to use?

[cyclone14]

check out issue #3143