| Time |
Nick |
Message |
| 00:51 |
|
diceLibrarian joined #minetest-dev |
| 01:00 |
|
ShadowBot joined #minetest-dev |
| 01:04 |
|
diceLibrarian joined #minetest-dev |
| 04:00 |
|
MTDiscord joined #minetest-dev |
| 04:06 |
|
tekakutli joined #minetest-dev |
| 04:57 |
|
fluxionary joined #minetest-dev |
| 05:10 |
|
calcul0n_ joined #minetest-dev |
| 05:39 |
|
calcul0n joined #minetest-dev |
| 06:17 |
|
tekakutli joined #minetest-dev |
| 07:05 |
|
olliy joined #minetest-dev |
| 08:22 |
|
Warr1024 joined #minetest-dev |
| 08:25 |
|
tekakutl` joined #minetest-dev |
| 08:46 |
|
Warr1024 joined #minetest-dev |
| 09:27 |
|
tekakutli joined #minetest-dev |
| 10:07 |
|
lionkor joined #minetest-dev |
| 10:18 |
|
imi joined #minetest-dev |
| 11:46 |
|
lionkor joined #minetest-dev |
| 12:32 |
|
appguru joined #minetest-dev |
| 13:20 |
rubenwardy |
We should consider dropping support for sha1 authentication, as it allows a downgrade attach |
| 13:21 |
rubenwardy |
/setpassword still uses sha1, so we'd need to make that use srp and then force users joining with sha1 to change their passwords |
| 13:24 |
rubenwardy |
it's a shame this wasn't done from the beginning |
| 13:26 |
nrz_ |
it's a mess in our roadmap i think, anyway, there is a path to migrate ? 🙂 |
| 13:27 |
rubenwardy |
We could make it so the client automatically changes the password using srp if it joins using sha1 |
| 13:28 |
rubenwardy |
could use a password cracker to upgrade from sha1 in bulk |
| 13:29 |
rubenwardy |
It's tricky though as lots of users won't have logged in for a while, so straight up removing it would lock them out of their account. So for deprecation, you might have to add warnings or disable sha1 behind a setting |
| 14:38 |
|
proller joined #minetest-dev |
| 14:55 |
pgimeno |
the automatic client-side upgrade sounds reasonable to me, the bulk upgrade doesn't |
| 14:55 |
rubenwardy |
that was a joke, hence the strikeout |
| 14:56 |
pgimeno |
ah I didn't see any strikeout |
| 14:56 |
rubenwardy |
woo IRC |
| 14:57 |
pgimeno |
I think it's safe to say that there's time for the upgrade |
| 14:58 |
pgimeno |
'The [best known collission] attack required "the equivalent processing power of 6,500 years of single-CPU computations and 110 years of single-GPU computations"' |
| 15:00 |
pgimeno |
that'd be per user; it can be (and was accomplished) faster, but at a big cost |
| 15:02 |
pgimeno |
what kind of attack would cracking a SHA1 password require? a preimage attack? |
| 15:06 |
|
Desour joined #minetest-dev |
| 15:13 |
Desour |
we don't need to deprecate anything. AUTH_MECHANISM_LEGACY_PASSWORD still does srp, as written in #13758 |
| 15:13 |
ShadowBot |
https://github.com/minetest/minetest/issues/13758 -- Deprecate/remove support for sha1 authentication |
| 15:16 |
rubenwardy |
does it do SRP over the network though? |
| 15:17 |
rubenwardy |
if the client is authing using sha1 and then the server stores that in srp, that's a very weird situation and still subject to all the disadvantages |
| 15:18 |
Desour |
see Client::startAuth(). legacy and normal srp have the same code path, just that legacy does sha1 hash on the password before |
| 15:19 |
Desour |
(=> yes, over the network) |
| 15:20 |
Desour |
and creating new auth entries with sha1 is no available option |
| 15:20 |
rubenwardy |
Ah interesting, so to solve this migration problem they've just put the sha1 into srp? That's wack but I suppose it solves the problem of users needing to upgrade |
| 15:40 |
|
TheCoffeMaker joined #minetest-dev |
| 15:54 |
|
tekakutli joined #minetest-dev |
| 16:10 |
|
tekakutl` joined #minetest-dev |
| 16:23 |
|
lionkor joined #minetest-dev |
| 16:46 |
|
proller joined #minetest-dev |
| 16:57 |
|
appguru joined #minetest-dev |
| 17:21 |
|
Fleckenstein joined #minetest-dev |
| 17:51 |
|
lionkor joined #minetest-dev |
| 18:04 |
sfan5 |
merging #13755, #13745, #13717 in a few minutes or so |
| 18:04 |
ShadowBot |
https://github.com/minetest/minetest/issues/13755 -- Small setting-related fixes by grorp |
| 18:04 |
ShadowBot |
https://github.com/minetest/minetest/issues/13745 -- Fix freeze in core.check_for_falling by savilli |
| 18:04 |
ShadowBot |
https://github.com/minetest/minetest/issues/13717 -- [NO SQUASH] Inventory: Fix assertion caused by a no-op stack movement by SmallJoker |
| 19:00 |
|
Fleckenstein joined #minetest-dev |
| 19:11 |
|
proller joined #minetest-dev |
| 20:45 |
|
proller joined #minetest-dev |
| 20:54 |
|
m42uko_ joined #minetest-dev |
| 20:55 |
|
TheCoffeMaker_ joined #minetest-dev |
| 20:56 |
|
rubywarden joined #minetest-dev |
| 20:56 |
|
fluxionary_ joined #minetest-dev |
| 22:35 |
|
panwolfram joined #minetest-dev |
| 22:36 |
|
tekakutli joined #minetest-dev |
