1. This is old news 2. This particular type of collision is detectable by sha1dc (which is use by git) last time I checked.
-S On Wed, Dec 30, 2020 at 04:07:26PM +0000, coderman wrote: > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Wednesday, December 30, 2020 6:04 AM, grarpamp <[email protected]> wrote: > > > https://eprint.iacr.org/2020/014 > > SHA-1 is a Shambles - First Chosen-Prefix Collision on SHA-1 and > > Application to the PGP Web of Trust > > ... We managed to significantly reduce the > > complexity of collisions attack against SHA-1: on an Nvidia GTX 970, > > identical-prefix collisions can now be computed with a complexity of > > 261.2 rather than 264.7, and chosen-prefix collisions with a > > complexity of 263.4 rather than 267.1. When renting cheap GPUs, this > > translates to a cost of 11k US\$ for a collision, and 45k US\$ for a > > chosen-prefix collision, within the means of academic researchers. Our > > actual attack required two months of computations using 900 Nvidia GTX > > 1060 GPUs (we paid 75k US\$ because GPU prices were higher, and we > > wasted some time preparing the attack). > > Therefore, the same attacks that have been practical on MD5 since 2009 > > are now practical on SHA-1. In particular, chosen-prefix collisions > > can break signature schemes and handshake security in secure channel > > protocols (TLS, SSH). > > > someone could warm some GPUs and really make a mess of commits to public > repos. (yes, git uses SHA1 :) > > see also > https://github.com/bk2204/git/blob/transition-stage-4/Documentation/technical/hash-function-transition.txt > > > best regards,
