[193825] in North American Network Operators' Group
Re: SHA1 collisions proven possisble
daemon@ATHENA.MIT.EDU (valdis.kletnieks@vt.edu)
Sat Feb 25 17:24:50 2017
X-Original-To: nanog@nanog.org
From: valdis.kletnieks@vt.edu
X-Google-Original-From: Valdis.Kletnieks@vt.edu
To: Richard Hesse <richard.hesse@weebly.com>
In-Reply-To: <CAJj1h3FK_pV-_wh6G-Rik5qUMBF8xc_=LsBePmK3gO=3Q6Fd5g@mail.gmail.com>
Date: Sat, 25 Feb 2017 17:23:21 -0500
Cc: NANOG Mailing List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1488061401_2975P
Content-Type: text/plain; charset=us-ascii
On Sat, 25 Feb 2017 09:26:28 -0800, Richard Hesse said:
> Git prefixes blobs with its own data. You're not going to break git with a
> SHA-1 binary collision. However, svn is very vulnerable to breaking.
And here's the proof-of-concept for svn breakage. Somebody managed to
make the WebKit svn totally lose its mind by uploading the two PoC PDFs....
https://arstechnica.com/security/2017/02/watershed-sha1-collision-just-broke-the-webkit-repository-others-may-follow/
--==_Exmh_1488061401_2975P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Comment: Exmh version 2.5 07/13/2001
iQEVAwUBWLID2Y0DS38y7CIcAQKXHQf/R+TW/FLaIyS12QQ5B4biZviPWNahlEUt
zzGWVcya7EeU9/c6c5Aw7HsfGJjspb7clezviC78WL6nlw6mICvuOMzGZlD4yjF6
6psXlkYpv5tt4yWZwwupfl0W9TEsPsy9ZKmj5P1zONSC41fHDHTrQoofgTF/SA+V
IFfvNOjnh/JT2Mp1nMgx0uyNlxKe0Q/5gF3nUfUYrAg6N8vs0XrLmmniKABow4gq
5r2Jjexk5YQVhntWE+5jAndFPS1ODPSdw+jrZr7lB1aspXCcu5+vTk92e5YKgdd8
ANRJUlVfVPlXpjkDOaMRC4PW+iZB/4RF9MjkZKF+OTJuw3rEwF1XOA==
=gFO+
-----END PGP SIGNATURE-----
--==_Exmh_1488061401_2975P--