Hi, On Sat, 20 Aug 2016 at 10:11:42 +0100, Leah Rowe wrote: > sha1 was broken afaik, I don't remember the link but I was reading > about it. Whether it's practical in practise to mitm accesses to the > git repository I don't know. We do have other repos available listed > on thegit page on libreboot.org, some of which have https
I don't mean to discourage you from frowning at SHA-1 for some applications, but if an attacker were to swap an object in the Git tree by a (malicious) one with the same hash, they would have to mount a not a collision attack but a second-preimage attack against SHA-1. While there is suspicion that the former are approaching feasibility for well-funded adversaries, AFAIK SHA-1 is as second-preimage resistant as ever. By the way, I can't resist pointing out that the e-mail I'm replying to is actually signed using SHA-1 as digest algorithm; so it the SHA512SUMS file in the 20160816 libreboot release :-P (But here again, achieving impersonation through an attack on the digest algorithm requires a second-preimage attack, not a collision attack.) Cheers, -- Guilhem.
signature.asc
Description: PGP signature
