Ian Fette (イアンフェッティ)
ifette at google.com
Mon Jun 15 19:35:46 PDT 2009
2009/6/15 Joseph Pecoraro <joepeck02 at gmail.com>
> c) fun things would happen with a SHA collision! ;)
>> c) Hehe, I think I detect a hint of sarcasm. If there is a SHA1 collision
>> then you'd probably make a lot of money!
> C is a serious concern. SHA-1 collisions are now 2^51 -
> This time I didn't detect sarcasm =)
> I was actually aware of that paper. I saw it on Reddit this past week, and
> although they complained about the fact that it has not yet been reviewed I
> think it could very well be valid. Its been known that SHA1 has been
> theoretically broken (not perfect 2**80) for some time now: (2005)
> However, its application in this Repository idea is not to be a
> cryptographically secure hash, it would just be to perform a quick,
> reliable, hash of the contents and to produce a unique identifier. There
> would be no security concerns in the impossibly rare chance that two scripts
> hashes collide. Just add some whitespace to the text somewhere! It would
> even be easy to debug when with standard tools such as Firefox's Firebug and
> Webkit's Web Inspector. Hahaha =)
In the event of a collision there would be huge issues - imagine running
someone else's script in your application. Basically XSS - someone could
take over your app, steal passwords, do bank transactions on your behalf,
Collisions are made easier in plain text than in certs given that your input
is not constrained.
> Also, Git and Mercurial (distributed version control systems) have been
> using SHA1 for the exact same purpose for years. I'm more familiar with
> Git's use of SHA1 and it uses it everywhere in the internals (file contents,
> directory listings, commit history).
There have been a number of threads about that :)
> Finally, if anyone here is seriously concerned with SHA1 just move to
> SHA-256 or SHA-512. With a repository unlikely to grow into the thousands,
> much less the millions, the chances of a collision even in 2**51
> (2251799813685248 base 10) is bold thinking ;)
The chances assuming everything is random are very low. The chances assuming
an active attacker, which is the case we're considering here, are not
1/2^51. 2^51 merely represents how much work needs to be done, or viewed
alternately, how close a plausible attack is.
> I'm not attacking anyone here, I'm just clarifying why I think SHA1 is not
> a bad choice. Collision will always be an issue when a infinite number of
> things gets reduced to a finite set of values, but the concern negligible
> when done right.
> - Joe
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the whatwg