[whatwg] Browser Bundled Javascript Repository

Joseph Pecoraro joepeck02 at gmail.com
Mon Jun 15 18:48:56 PDT 2009


>> c) fun things would happen with a SHA collision! ;)
>
> c) Hehe, I think I detect a hint of sarcasm.  If there is a SHA1  
> collision then you'd probably make a lot of money!
>
>
> C is a serious concern. SHA-1 collisions are now 2^51 - http://eprint.iacr.org/2009/259.pdf

This time I didn't detect sarcasm =)

I was actually aware of that paper. I saw it on Reddit this past week,  
and although they complained about the fact that it has not yet been  
reviewed I think it could very well be valid.  Its been known that  
SHA1 has been theoretically broken (not perfect 2**80) for some time  
now: (2005)
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

However, its application in this Repository idea is not to be a  
cryptographically secure hash, it would just be to perform a quick,  
reliable, hash of the contents and to produce a unique identifier.   
There would be no security concerns in the impossibly rare chance that  
two scripts hashes collide. Just add some whitespace to the text  
somewhere!  It would even be easy to debug when with standard tools  
such as Firefox's Firebug and Webkit's Web Inspector. Hahaha =)

Also, Git and Mercurial (distributed version control systems) have  
been using SHA1 for the exact same purpose for years.  I'm more  
familiar with Git's use of SHA1 and it uses it everywhere in the  
internals (file contents, directory listings, commit history).

Finally, if anyone here is seriously concerned with SHA1 just move to  
SHA-256 or SHA-512.  With a repository unlikely to grow into the  
thousands, much less the millions, the chances of a collision even in  
2**51 (2251799813685248 base 10) is bold thinking ;)

I'm not attacking anyone here, I'm just clarifying why I think SHA1 is  
not a bad choice.  Collision will always be an issue when a infinite  
number of things gets reduced to a finite set of values, but the  
concern negligible when done right.

Cheers
- Joe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090615/acbc2b48/attachment-0002.htm>


More information about the whatwg mailing list