Last modified: 2014-04-21 21:18:36 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T62832, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 60832 - Better hashing for IP addresses on Event Logging
Better hashing for IP addresses on Event Logging
Status: RESOLVED FIXED
Product: Analytics
Classification: Unclassified
General/Unknown (Other open bugs)
unspecified
All All
: Normal normal
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-04 15:38 UTC by nuria
Modified: 2014-04-21 21:18 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description nuria 2014-02-04 15:38:47 UTC 
The current behavior when hashing IP addresses on Event Logging is to generate a 'salt' (really a key) at runtime and to
use it continuously for the lifetime of the program. The lifespan of the key
and the cheapness of the hash function make it easier to attack. 

Per security's team request we should be making EventLogging scramble IPs by generating an HMAC SHA1 with the IP address
as the message and a random byte string as the key. The key rotates every 90
days.
Comment 1 Bingle 2014-02-04 15:40:45 UTC 
Prioritization and scheduling of this bug is tracked on Mingle card https://wikimedia.mingle.thoughtworks.com/projects/analytics/cards/cards/1430
Comment 2 nuria 2014-04-21 21:17:44 UTC 
Changes to this regard were already done. This bug can be closed.
Comment 3 nuria 2014-04-21 21:18:36 UTC 
Pertinent changeset: https://gerrit.wikimedia.org/r/#/c/110700/
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links