[Cryptography] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers

Phillip Hallam-Baker phill at hallambaker.com
Thu Feb 23 20:29:34 EST 2017


On Thu, Feb 23, 2017 at 7:46 PM, John Levine <johnl at iecc.com> wrote:

> In article <20170223181409.GA6085 at savin.petertodd.org> you write:
> >Concretely, I could prepare a pair of files with the same SHA1 hash,
> taking
> >into account the header that Git prepends when hashing files.
>
> The Google blog post describes what they did, and mentioned that it
> used upward of 6500 CPU-years to create.  So while I agree that the
> collision is real, and github should switch to better hashes ASAP, I'm
> not too worried about an immediate blizzard of fake source code.
>

​Which means there is reason for concern and urgent efforts to fix Git.

There is no reason to panic. But we do need to act.

​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170223/fbb5e456/attachment.html>


More information about the cryptography mailing list