http://mediawiki.localhost/index.php?title=Special:OAuthConsumerRegistration/propose/oauth1a displays mwoauth-consumer-rsakey-help saying
"Enter a public key to use the RSA-SHA1 signature method. Leave empty to use HMAC-SHA1 with a random secret. If you are not sure which, leave it empty."`
In my understanding of https://en.wikipedia.org/wiki/SHA-1 this is something to explicitly discourage.
The string should express that RSA-SHA1 is insecure, and that HMAC-SHA1 is recommended.
In my understanding of https://en.wikipedia.org/wiki/SHA-1 this is something to explicitly discourage.
It's a long article; can you summarize why you think so?
"it is recommended to remove SHA-1 from products as soon as possible and instead use SHA-2 or SHA-3."
Or https://crypto.stackexchange.com/questions/60619/after-googles-collision-attack-is-rsa-sha1-signature-still-safe
But I am obviously not an encryption expert, so if I mix up things and this ticket doesn't make sense for some reason, please close as invalid or declined. Thanks!
To pull off a collision attack on RSA-SHA1 you'd need to somehow trick a legitimate application to send a request that has (at least partially) been determined by you, intercept it and read the signature. I guess not strictly impossible if the request is sent unencrypted, but seems pretty hard to pull off. But then we send the same information unencrypted (aside from HTTPS) for OAuth 2 so I don't think it's worth worrying about. Maybe the extension page should note that it's not recommended for use on non-HTTPS-only wikis, but then if you are running a non-HTTPS-only wiki you have bigger problems than that.