Thursday, March 02, 2017

SHA1 insecurity, HTTPS, Git

Google Online Security Blog: Announcing the first SHA1 collision

"Here are some numbers that give a sense of how large scale this computation was:
Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
6,500 years of CPU computation to complete the attack first phase
110 years of GPU computation to complete the second phase"

Chrome and Firefox do not accept HTTPS based on SHA1 anymore.

Git is using SHA-1 for hashes (detecting changes) but not for security protection.
> SHA1 is not used for security in Git -S[], --gpg-sign[=]... | Hacker News

Git fscked by SHA-1 collision? Not so fast, says Linus Torvalds • The Register
"the sky isn't falling. There's a big difference between using a cryptographic hash for things like security signing, and using one for generating a 'content identifier' for a content-addressable system like git."