eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.

Server stats:

215
active users

#uuidv4

0 posts0 participants0 posts today
Konstantin :C_H:<p>I recently ran into an interesting discrepancy:</p><p>What you see below are 120-bit Session IDs, one printed as hex and one in the format of a <a href="https://infosec.exchange/tags/UUIDv4" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UUIDv4</span></a>.</p><p>After validating their randomness, I would classify the first as secure but raise concerns about the second.</p><p>Why?</p><p>Well, according to RFC 4122:</p><p>"Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example."</p><p>And that's exactly what a session ID is: an identifier whose possession grants access. As such, UUIDs should not be used in such a case.</p><p>What do you think? Is this nitpicking? Or a valid security nuance?</p><p>Does the format in which data is displayed have an impact on its security?</p><p>I'd love to hear your thoughts.</p><p><a href="https://infosec.exchange/tags/Pentesting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Pentesting</span></a> <a href="https://infosec.exchange/tags/AppSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AppSec</span></a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/BugBounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BugBounty</span></a> <a href="https://infosec.exchange/tags/Hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hacking</span></a></p>
Elias Probst<p><a href="https://mastodon.social/tags/Proxmox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Proxmox</span></a> just generates a <a href="https://mastodon.social/tags/UUIDv4" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UUIDv4</span></a> like<br>3b7d2d2c-3732-41db-a678-8bc4aeaf9155 as a secret for auth tokens? 😱<br>This looks a lot like a bad security practice to me, especially when RFC4122 says:</p><p>"Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example. A predictable random number source will exacerbate the situation."</p><p><a href="https://mastodon.social/tags/ITSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ITSecurity</span></a></p>