[Cryptography] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers
Phillip Hallam-Baker
phill at hallambaker.com
Thu Feb 23 20:29:34 EST 2017
On Thu, Feb 23, 2017 at 7:46 PM, John Levine <johnl at iecc.com> wrote:
> In article <20170223181409.GA6085 at savin.petertodd.org> you write:
> >Concretely, I could prepare a pair of files with the same SHA1 hash,
> taking
> >into account the header that Git prepends when hashing files.
>
> The Google blog post describes what they did, and mentioned that it
> used upward of 6500 CPU-years to create. So while I agree that the
> collision is real, and github should switch to better hashes ASAP, I'm
> not too worried about an immediate blizzard of fake source code.
>
Which means there is reason for concern and urgent efforts to fix Git.
There is no reason to panic. But we do need to act.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170223/fbb5e456/attachment.html>
More information about the cryptography
mailing list