Usage of SHA-1

[plizze]

Please tell me that teamspeak is not using a broken hash function for cryptograhpicly assigning permissions...

https://shattered.io/

[plizze]

Why was my post about the used hash function deleted?

Does or does teamspeak not use SHA-1 for any kind of public/private key hashing?

Just deleting the post is not helpfull for anybody

Edit: Can answer the question myself, you guys are indeed using a hash function which is known to produce colissions since atleast 2017 and instead of answering a questions, you delete the post. what kind of security is this? security by obscurity? However deleted the post, that must be a joke...

How about you move to SHA2 instead of ignoring the problem?!

[Chris]

Why was my post about the used hash function deleted?

Because it was referencing an off topic post, besides being off topic itself. Moved to its own topic now.

How about you move to SHA2 instead of ignoring the problem?!

That would change the representation of the unique identifier, which would involve a lot of changes and difficulties. It would either mean everyone would lose all their permissions on all servers, or the client / server would need to be updated to handle a graceful switch over to the new one, while still having to support the old one for at least some time due to people not updating their clients.
The chance of an actual collision happening is obscure, so there isn't really much of a need to change it right now.

[plizze]

Because it was referencing an off topic post, besides being off topic itself. Moved to its own topic now.

For me it looked like you try to cover stuff up, my bad. But next time think about messanging a user when you delete his post to clarify it for both parties.

That would change the representation of the unique identifier, which would involve a lot of changes and difficulties. It would either mean everyone would lose all their permissions on all servers, or the client / server would need to be updated to handle a graceful switch over to the new one, while still having to support the old one for at least some time due to people not updating their clients.
The chance of an actual collision happening is obscure, so there isn't really much of a need to change it right now.

So basically you say that legacy clients > security. Sry but thats a statement i cant share. It might be unsatisfying to recreate identies, but if there are critical security flaws, and a collision is THE WORST that can happen to a hash function, that only purpose is NOT to create any collision, then the biggest priority has to be to fix the issue. Like you said, if you dont start NOW the problem will just be delayed more.. and more .. and more.. You could and should have started to atleast create new identies based on SHA-2 back 2017! So please stop delaying it even further now.

Hope this will improve the situation.

[florian2833z]

Military grade encryption xd

[plizze]

BTW: The first theoretical attacks papers were published in 2005 and the NIST listed SHA-1 deprecated in 2011.. That was in Beta-Server times if i remember correctly?

Misstakes can happen and that no issue, important is what you do now, and you need to act quick.

[ANR Daemon]

SHA1 is strong enough for the reasons it is used by TS3, where it is used.
Don't be that hysterical girl.

[plizze]

SHA1 is strong enough for the reasons it is used by TS3, where it is used.
Don't be that hysterical girl.

The HASH-Function is broken, and its known since 14 Years, Teamspeak messed up by not switching years ago, and it seems like they tend not todo so in the near future and you say thats its fine?
Get your facts straight and do some research on SHA1 on your own instead of insulting me for pointing out the obvious.

Youre ignorant by saying "for the reason its used its fine" - no its not. It does not matter for what you use the function, if its broken, its broken and you have to switch. Stating anything different just shows your lacking of basic security knowledge.

[florian2833z]

The HASH-Function is broken, and its known since 14 Years, Teamspeak messed up by not switching years ago, and it seems like they tend not todo so in the near future and you say thats its fine?
Get your facts straight and do some research on SHA1 on your own instead of insulting me for pointing out the obvious.

Youre ignorant by saying "for the reason its used its fine" - no its not. It does not matter for what you use the function, if its broken, its broken and you have to switch. Stating anything different just shows your lacking of basic security knowledge.

Thank you

Does anyone know if there's a site where I can find all the info about teamspeak's security system, including key exchange parameters, encryption algorithm, etc?

[preterive]

It would either mean everyone would lose all their permissions on all servers, or the client / server would need to be updated to handle a graceful switch over to the new one, while still having to support the old one for at least some time due to people not updating their clients.
The chance of an actual collision happening is obscure, so there isn't really much of a need to change it right now.

Why not updating with Teamspeak 5??

[florian2833z]

Any plans to change this?

[ScP]

Any plans to change this?

Yes...

[plizze]

Yes...

Thats good news, but a little more information is necessary.

What are you migration plans? When do you migrate? What happens to the existing identities? How will you mitigate the problems Chris mentioned earlier?

[florian2833z]

When will this be changed and what is going to be changed?

[ANR Daemon]

The HASH-Function is broken, and its known since 14 Years, Teamspeak messed up by not switching years ago, and it seems like they tend not todo so in the near future and you say thats its fine?
Get your facts straight and do some research on SHA1 on your own instead of insulting me for pointing out the obvious.

Youre ignorant by saying "for the reason its used its fine" - no its not. It does not matter for what you use the function, if its broken, its broken and you have to switch. Stating anything different just shows your lacking of basic security knowledge.

Surely you have a working PoC exploit against TS3 encryption then?
Mind filing a CVE?