[whatwg] Browser Bundled Javascript Repository
Joseph Pecoraro
joepeck02 at gmail.com
Mon Jun 15 18:48:56 PDT 2009
>> c) fun things would happen with a SHA collision! ;)
>
> c) Hehe, I think I detect a hint of sarcasm. If there is a SHA1
> collision then you'd probably make a lot of money!
>
>
> C is a serious concern. SHA-1 collisions are now 2^51 - http://eprint.iacr.org/2009/259.pdf
This time I didn't detect sarcasm =)
I was actually aware of that paper. I saw it on Reddit this past week,
and although they complained about the fact that it has not yet been
reviewed I think it could very well be valid. Its been known that
SHA1 has been theoretically broken (not perfect 2**80) for some time
now: (2005)
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
However, its application in this Repository idea is not to be a
cryptographically secure hash, it would just be to perform a quick,
reliable, hash of the contents and to produce a unique identifier.
There would be no security concerns in the impossibly rare chance that
two scripts hashes collide. Just add some whitespace to the text
somewhere! It would even be easy to debug when with standard tools
such as Firefox's Firebug and Webkit's Web Inspector. Hahaha =)
Also, Git and Mercurial (distributed version control systems) have
been using SHA1 for the exact same purpose for years. I'm more
familiar with Git's use of SHA1 and it uses it everywhere in the
internals (file contents, directory listings, commit history).
Finally, if anyone here is seriously concerned with SHA1 just move to
SHA-256 or SHA-512. With a repository unlikely to grow into the
thousands, much less the millions, the chances of a collision even in
2**51 (2251799813685248 base 10) is bold thinking ;)
I'm not attacking anyone here, I'm just clarifying why I think SHA1 is
not a bad choice. Collision will always be an issue when a infinite
number of things gets reduced to a finite set of values, but the
concern negligible when done right.
Cheers
- Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090615/acbc2b48/attachment.htm>
More information about the whatwg
mailing list