Konstantin :C_H:<p>I recently ran into an interesting discrepancy:</p><p>What you see below are 120-bit Session IDs, one printed as hex and one in the format of a <a href="https://infosec.exchange/tags/UUIDv4" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UUIDv4</span></a>.</p><p>After validating their randomness, I would classify the first as secure but raise concerns about the second.</p><p>Why?</p><p>Well, according to RFC 4122:</p><p>"Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example."</p><p>And that's exactly what a session ID is: an identifier whose possession grants access. As such, UUIDs should not be used in such a case.</p><p>What do you think? Is this nitpicking? Or a valid security nuance?</p><p>Does the format in which data is displayed have an impact on its security?</p><p>I'd love to hear your thoughts.</p><p><a href="https://infosec.exchange/tags/Pentesting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Pentesting</span></a> <a href="https://infosec.exchange/tags/AppSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AppSec</span></a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/BugBounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BugBounty</span></a> <a href="https://infosec.exchange/tags/Hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hacking</span></a></p>