Welcome! Log In Create A New Profile

Re: How does Nginx look-up cached resource?

Forum List Message List New Topic Print View

Maxim Dounin

September 07, 2015 01:00PM

Hello!

On Mon, Sep 07, 2015 at 05:44:49PM +0300, Gena Makhomed wrote:

> On 06.09.2015 4:56, Maxim Dounin wrote:
>
> >>The security of the MD5 hash function is severely compromised.
> >>A collision attack exists that can find collisions within seconds
> >>on a computer with a 2.6 GHz Pentium 4 processor (complexity of 2**24.1)
> >>- https://en.wikipedia.org/wiki/MD5#Security
> >
> >I said "took", not "takes now". The MD5 hash function was
> >introduced in 1991, and the first collision was found in 2004.
> >
> >Also, it's important to understand that, while collision attacks
> >now exists, it doesn't really make MD5 bad for various
> >non-security uses.
>
> nginx cache is security use too.
>
> If user configure common shared cache for all virtual servers,
> and config have two servers: first, protected by access,
> auth_basic or auth_request modules from unauthorized use,
> and second server with publicly available content.
>
> If attacker know proxy_cache_key, for example $scheme$host$request_uri
> and know $request_uri from protected site - he can create MD5/crc32
> collision by building specific $request_uri for second server,
> and he will got unauthorized access to protected content
> from the first, protected web site.
>
> This is looks like vulnerability.

Yes, this looks like a valid example of a potentially affected
configuration. Though as far as I know, it is not currently
possible to construct a value (which choosen prefix) that maps to
a given md5 value.

> And this vulnerability can be fixed as Sergey Brester propose:
>
> We should always compare the keys,
> after cache entry with hash value was found.
>
> Or vulnerability can be minimized by using secure hash
> function instead of current cryptographically broken MD5.

I think moving away from MD5 is a right way to go.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
How does Nginx look-up cached resource?	Shuxin Yang	940	September 03, 2015 09:40PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	306	September 04, 2015 09:24AM
Re: How does Nginx look-up cached resource?	Sergey Brester	347	September 04, 2015 11:38AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	337	September 04, 2015 02:12PM
Re: How does Nginx look-up cached resource?	Sergey Brester	446	September 04, 2015 02:58PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	297	September 04, 2015 03:44PM
Re: How does Nginx look-up cached resource?	Sergey Brester	333	September 04, 2015 05:02PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	342	September 05, 2015 08:10PM
Re: How does Nginx look-up cached resource?	Sergey Brester	385	September 07, 2015 09:36AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	361	September 07, 2015 12:20PM
Re: How does Nginx look-up cached resource?	Sergey Brester	302	September 07, 2015 12:34PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	362	September 04, 2015 05:22PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	326	September 05, 2015 09:58PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	306	September 07, 2015 10:46AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	292	September 07, 2015 01:00PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	431	September 07, 2015 03:30PM
Re: How does Nginx look-up cached resource?	Sergey Brester	405	September 07, 2015 05:24PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	558	September 07, 2015 07:20PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	478	September 07, 2015 09:42PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	440	September 08, 2015 05:08PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	466	September 09, 2015 01:18PM
Re: How does Nginx look-up cached resource?	Sergey Brester	337	September 10, 2015 05:58AM
Re: How does Nginx look-up cached resource?	Sergey Brester	332	September 10, 2015 08:56AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	357	September 10, 2015 10:48AM
Re: How does Nginx look-up cached resource?	Sergey Brester	319	September 10, 2015 11:08AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	322	September 10, 2015 11:34AM
Re: How does Nginx look-up cached resource?	Sergey Brester	332	September 10, 2015 11:56AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	346	September 10, 2015 01:00PM
Re: How does Nginx look-up cached resource?	Sergey Brester	610	September 10, 2015 04:54PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 260

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018