SHA1 collisions found

My takeaway from all that – the git project is internally taking steps to mitigate vulnerabilities from this particular attack (making it harder to insert the arbitrary binary data necessary into git metadata), but a) is just throwing up their hands at the problem of projects that store binary blobs like image data in their repos, and b) is not taking this as a signal that more serious sha-1 attacks are on the horizon and they should speed up their hash-replacement efforts.

This latter leads into the problems with Linus’ positions in particular. In that thread, does not take seriously the threats that this poses to the broader git userbase, because he only seems to care about the kernel use-case: trusted hosting infrastructure at (itself an iffy assumption, given previous hacks and the use of mirrors), and the exclusive storage of human-readable text in the repo which makes binary garbage harder to sneak in. These do not apply to most users of git. His rather extreme public position (paraphrased, “our security doesn’t depend on SHA1”) is even more troubling – it absolutely does depend on SHA1, this just isn’t (yet) a strong enough attack to absolutely screw over the kernel. A stronger collision attack (eg a chosen-prefix as opposed to identical-prefix, or godforbid a pre-image attack) would absolutely invalidate the whole git security model.

Related Posts

  • Spongebob is on!June 23, 2001 Spongebob is on! *yodels for his sweetheart C'mon, hon! C'mon gang! It's the Flying Dutchman's ghost […]
  • My tweetsNovember 23, 2010 My tweets My tweets Mon, 06:24: sky is clear and fullish moon out. supposed to drop into the 30s […]
  • August 1, 2007 DSCN5895 (via Photos from scottobear)
  • Stormy’s last day in North Beach.July 30, 2013 Stormy’s last day in North Beach. Stormy's last day in north beach., originally uploaded by scottobear. Taken while […]
  • 7418 – 20 questions.June 3, 2005 7418 – 20 questions. 1. If you were to live as a cartoon character, who would you be? I'd like to be Plastic […]

Leave a Reply