looks like sha-1 is over
29 views
Skip to first unread message
Oleg Artemiev
Feb 23, 2017, 2:51:09 PM2/23/17
to qubes...@googlegroups.com
a little bit offtopic, everyone is using sha-256, I guess,
http://shattered.it/
but, btw - any comments to this in Qubes contex:
----------------------------------------------------cut-------------------------
How is GIT affected?
GIT strongly relies on SHA-1 for the identification and integrity
checking of all file objects and commits. It is essentially possible
to create two GIT repositories with the same head commit hash and
different contents, say a benign source code and a backdoored one. An
attacker could potentially selectively serve either repository to
targeted users. This will require attackers to compute their own
collision.
----------------------------------------------------cut-------------------------
?
--
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/
http://shattered.it/
but, btw - any comments to this in Qubes contex:
----------------------------------------------------cut-------------------------
How is GIT affected?
GIT strongly relies on SHA-1 for the identification and integrity
checking of all file objects and commits. It is essentially possible
to create two GIT repositories with the same head commit hash and
different contents, say a benign source code and a backdoored one. An
attacker could potentially selectively serve either repository to
targeted users. This will require attackers to compute their own
collision.
----------------------------------------------------cut-------------------------
?
--
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/
Robin Schneider
Feb 23, 2017, 3:36:46 PM2/23/17
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 02/23/2017 08:51 PM, Oleg Artemiev wrote:
> a little bit offtopic, everyone is using sha-256, I guess,
>
> http://shattered.it/
>
> but, btw - any comments to this in Qubes contex:
>
> ----------------------------------------------------cut-----------------------
- --
>
>
>
?
>
Hey
You might be interested in this issue:
https://github.com/QubesOS/qubes-issues/issues/2240
- --
Live long and prosper
Robin `ypid` Schneider -- https://me.ypid.de/
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYr0fYAAoJEIb9mAu/GkD4reoQAKPvuUxTl9qETXhZmuLJcSb+
4msToekwUrg5pGALC7XAV2DpXTd0UPD4muMNLE4W/F1Ynmm/i7ehe9A1UGyiy3QG
LYMDvJxg0cCPxADgBj0a43KtqaZJ9DvkcQcC6AwHOHw+9UIJjJXqPKj0gK1YFGHU
+FjI9iMEN4DHBMmi7UJ7ZX8Qe0vJ5Hq2lCYoToYmQCa+XYnDwqgjyv6J+RCJqtPr
P4/E5R/pYK36HRzFhXOm0KcnX6WynO7E1kBAdrkO2VpK+rk1QykKIxmnGfEfXaKO
zx8qEPkZqViGAZ4+Y3uuWXAbCjkJ0tOSIxZKXvuJfNSOO+R6+k6tDHzWZxX9+NY2
tf8VDckZOBHJM/Dk02HR1icXcQ+jpB4DfNrjjI8dKv0gJ0jCV/oVN2hsTeeoZri8
0bN0HAuWSrk+CreTrQv23lfjssPzAG1sYU8bofiE4QvuqToIH6FofKpr/RKas+wC
qgk2O86Y1MAZvzZsOgYHvCUFAtCFSjlqm+JuPCAoHowYNbAmpmc4SzgOFVxSKSgk
IzulqwctJXNdrLiJU8IehgZhTR4hAQbuljnctfX0qT/YvpozCII4nTkxBYR4DTCZ
mtQrBnVqv7rkqfNzb5Ri6NGgg3x9eVSBlhM+OQKpSKt+k9CipqrZwMaSJuVQU9vU
ZQdWuDabWIETqtqyOVcd
=YFtl
-----END PGP SIGNATURE-----
Hash: SHA512
On 02/23/2017 08:51 PM, Oleg Artemiev wrote:
> a little bit offtopic, everyone is using sha-256, I guess,
>
> http://shattered.it/
>
> but, btw - any comments to this in Qubes contex:
>
> ----------------------------------------------------cut-----------------------
>
>
>
How is GIT affected?
>
> GIT strongly relies on SHA-1 for the identification and integrity checking
> of all file objects and commits. It is essentially possible to create two
> GIT repositories with the same head commit hash and different contents,
> say a benign source code and a backdoored one. An attacker could
> potentially selectively serve either repository to targeted users. This
> will require attackers to compute their own collision.
> ----------------------------------------------------cut-----------------------
- --
>
>
How is GIT affected?
>
> GIT strongly relies on SHA-1 for the identification and integrity checking
> of all file objects and commits. It is essentially possible to create two
> GIT repositories with the same head commit hash and different contents,
> say a benign source code and a backdoored one. An attacker could
> potentially selectively serve either repository to targeted users. This
> will require attackers to compute their own collision.
> ----------------------------------------------------cut-----------------------
>
>
>
?
>
Hey
You might be interested in this issue:
https://github.com/QubesOS/qubes-issues/issues/2240
- --
Live long and prosper
Robin `ypid` Schneider -- https://me.ypid.de/
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYr0fYAAoJEIb9mAu/GkD4reoQAKPvuUxTl9qETXhZmuLJcSb+
4msToekwUrg5pGALC7XAV2DpXTd0UPD4muMNLE4W/F1Ynmm/i7ehe9A1UGyiy3QG
LYMDvJxg0cCPxADgBj0a43KtqaZJ9DvkcQcC6AwHOHw+9UIJjJXqPKj0gK1YFGHU
+FjI9iMEN4DHBMmi7UJ7ZX8Qe0vJ5Hq2lCYoToYmQCa+XYnDwqgjyv6J+RCJqtPr
P4/E5R/pYK36HRzFhXOm0KcnX6WynO7E1kBAdrkO2VpK+rk1QykKIxmnGfEfXaKO
zx8qEPkZqViGAZ4+Y3uuWXAbCjkJ0tOSIxZKXvuJfNSOO+R6+k6tDHzWZxX9+NY2
tf8VDckZOBHJM/Dk02HR1icXcQ+jpB4DfNrjjI8dKv0gJ0jCV/oVN2hsTeeoZri8
0bN0HAuWSrk+CreTrQv23lfjssPzAG1sYU8bofiE4QvuqToIH6FofKpr/RKas+wC
qgk2O86Y1MAZvzZsOgYHvCUFAtCFSjlqm+JuPCAoHowYNbAmpmc4SzgOFVxSKSgk
IzulqwctJXNdrLiJU8IehgZhTR4hAQbuljnctfX0qT/YvpozCII4nTkxBYR4DTCZ
mtQrBnVqv7rkqfNzb5Ri6NGgg3x9eVSBlhM+OQKpSKt+k9CipqrZwMaSJuVQU9vU
ZQdWuDabWIETqtqyOVcd
=YFtl
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages