Hacker News new | past | comments | ask | show | jobs | submit login

Isn't SHA-256 vulnerable to length extension attacks?

Yes, but so is SHA-384 and that is not relevant for the TLS context.

384 is not vulnerable to length extension attacks precisely because it is truncated. The output is not he full internal state.

The speed advantage of SHA-512 and the advantage of truncation is why some more exotic variants like SHA-512/256 (SHA-512 truncated to 256 bits) are used in newer protocols.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact