Closed Bug 1871105 Opened 1 year ago Closed 1 year ago

md5 in PlacesUtils.sys.mjs should be replaced with sha256

Categories

(Toolkit :: Places, task, P3)

Product:
Toolkit
Component:
Places
Type:
task

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: keeler, Unassigned)

References

Details

The use of md5 in PlacesUtils.sys.mjs should be replaced with sha256 (or removed if it's not used).

This may not be trivial to replace.

The PlacesPreview use should be taken care in 1871106.

The SafariProfileMigrator.sys.mjs use is not fixable, or better, it may implement its own md5 helper instead of using the PlacesUtils one... but Safari IS using md5 for filenames, there's no way around that.

The PlacesUIUtils.sys.mjs is using md5 to obfuscate uris in XULStore. It's not trivial as we can't migrate existing hashes to a different algo.

So what should we do if we can't stop using md5 in some cases?

Depends on: 1871106
Flags: needinfo?(dkeeler)
Severity: -- → N/A
Priority: -- → P3

(In reply to Marco Bonardo [:mak] from comment #1)

The SafariProfileMigrator.sys.mjs use is not fixable, or better, it may implement its own md5 helper instead of using the PlacesUtils one... but Safari IS using md5 for filenames, there's no way around that.

Keeping md5 for interoperability with Safari is fine.

The PlacesUIUtils.sys.mjs is using md5 to obfuscate uris in XULStore. It's not trivial as we can't migrate existing hashes to a different algo.

If the aim is to prevent history recovery using incidental metadata in XULStore, you probably want to use a per-profile salt (or add a way to clear this data when Firefox clears other private data). But in any case, yeah, switching to sha256 doesn't really make that mechanism stronger.

So I guess this is a wontfix.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(dkeeler)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.