Address HashWick

[hashseed]

See https://darksi.de/12.hashwick-v8-vulnerability/

[hashseed]

I implemented siphash in V8 already and also merged the patch into node master, but am really busy these days. Can someone port this to gyp to enable it in node?

[Trott]

I implemented siphash in V8 already and also merged the patch into node master, but am really busy these days. Can someone port this to gyp to enable it in node?

@nodejs/node-gyp

[richardlau]

I believe this has now been addressed by #26367 which is active in 11.12.0. Please reopen if I am mistaken.

[rvagg]

I'm going to reopen this because we don't have full closure. At this stage I'd define closure as a public communication about status and impact. As far as I'm aware there are no plans for further technical changes (SipHash backport would be the only possible additional technical change but I don't believe that's practical?).

There was a conversation in private (https://github.com/nodejs-private/security/issues/198) about next steps, but that's gone stale as of a month ago so we may as well have it here.

I suggested that we formulate communication that outlined something like the following:

• Node 6 won't be fixed, too old and EOL soon anyway
• 64-bit seeds make HashWick much less risky, but theoretically not entirely impossible to exploit. Node 8 and 10 have that.
• Only Node 11+ get SipHash which makes HashWick go away (inasmuch as we can be certain about these things). Node 11 and 12 have that.
• We are not aware of any practical exploit of HashWick in the wild and believe you'll be safe with just 64-bit hash seeds in Node 8 and 10. Node 12 will be an important upgrade if you are concerned about this risk and want to be as certain as we are that it's fixed.

That last point being the tricky one to communicate.

I haven't drafted anything beyond those points but if someone else wants to take this ball and draft something to post on https://nodejs.org/en/blog/vulnerability/ then be my guest.

I still think the write-up I did about this is the most approachable public summary of the problem: https://nodesource.com/blog/node-js-and-the-hashwick-vulnerability/ although Fedor had some technical quibbles, see responses to https://twitter.com/NodeSource/status/1033009653062545408. This could be used as a reference to better explain the problem, along with https://darksi.de/12.hashwick-v8-vulnerability/.

[jasnell]

Ping @rvagg ... where are we at on this?

[rvagg]

Don't remember. Did 10.x ever get a V8 that had SipHash? Maybe not. This is for someone else to take up if they think it's still something to be concerned about (hint: it is, but it's a question of how much, SipHash just makes it slightly less practical).