Re: SHA1 collisions proven possisble

["J. Hellenthal" <jhellenthal () dataix net>]

It's actually pretty serious in Git and the banking markets where there is high usage of sha1. Considering the wide 
adoption of Git, this is a pretty serious issue that will only become worse ten-fold over the years. Visible abuse will 
not be near as widely seen as the initial shattering but escalate over much longer periods.

Take it serious ? Why wouldn't you !?

-- 
 Onward!, 
 Jason Hellenthal, 
 Systems & Network Admin, 
 Mobile: 0x9CA0BD58, 
 JJH48-ARIN

On Feb 23, 2017, at 16:40, Ricky Beam <jfbeam () gmail com> wrote:

> On Thu, 23 Feb 2017 15:03:34 -0500, Patrick W. Gilmore <patrick () ianai net> wrote:
> More seriously: The attack (or at least as much as we can glean from the blog post) cannot find a collision (file 
> with same hash) from an arbitrary file. The attack creates two files which have the same hash, which is scary, but 
> not as bad as it could be.

Exactly. This is just more sky-is-falling nonsense. Of course collisions exist. They occur in every hash function. It's 
only marginally noteworthy when someone finds a collision. It's neat the Google has found a way to generate a pair of 
files with the same hash -- at colossal computational cost! However this in no way invalidates SHA-1 or documents 
signed by SHA-1. You still cannot take an existing document, modify it in a meaningful way, and keep the same hash.

[Nor can you generate a blob to match an arbitrary hash (which would be death of all bittorrent)]