On Mon, Feb 27, 2017 at 9:46 AM, Andrew Savchenko <[email protected]> wrote: > > So danger of SHA1 collision is much closer than > 9,223,372,036,854,775,808 SHA1 computations or 1 110-GPU year.
Indeed in every way it is closer than that than when Google started their project, and tomorrow it will be closer still. The subject line shouldn't really be "SHA-1 has just been broken" but "Another recent confirmation of SHA-1 being broken." We've known it has been broken for quite a while. In the same way, DES wasn't broken when the EFF built their ASIC-based machine. That was just the final nail in the coffin. Anybody who waited for somebody to actually build that machine (and I'd be shocked if bigger players than the EFF didn't have such a machine much sooner) was deluded. When somebody discovers an attack on a hash function that greatly reduces the cost to generate collisions into a number that is even remotely forseeable in the next decade, it is time to stop using that hash function. Sheer inertia ensures that even if everybody started changing overnight it probably would still cause problems when the attacks start getting practical. Sure, there are threat models where it doesn't matter, but on the SHA-1 front it seems like people have been underestimating their exposure. Certainly Gentoo has exposure until git is fixed and the active tree has non-SHA-1 hashes. Even then the historical tree is vulnerable if we don't rehash everything, though in practice I don't think that matters as much, and obviously slipping a non-preimage collision into the historical tree is impossible unless it is done before the hash functions are changed. Sure, you can wave your hands about how hard it is to expoit in practice, and I agree with many of these arguments. However, SHA-1 should be viewed as a vulnerability and fixing it as a priority. For Gentoo specifically it isn't really the weakest link in the chain as was pointed out in the other thread, so I'm not sure I'd go rushing out to fork git. Still, we shouldn't be entirely comfortable with git as it stands at the moment. -- Rich
