Git prefixes blobs with its own data. You're not going to break git with a SHA-1 binary collision. However, svn is very vulnerable to breaking. On Thu, Feb 23, 2017 at 3:11 PM, J. Hellenthal <jhellenthal@dataix.net> wrote:
It's actually pretty serious in Git and the banking markets where there is high usage of sha1. Considering the wide adoption of Git, this is a pretty serious issue that will only become worse ten-fold over the years. Visible abuse will not be near as widely seen as the initial shattering but escalate over much longer periods.
Take it serious ? Why wouldn't you !?
-- Onward!, Jason Hellenthal, Systems & Network Admin, Mobile: 0x9CA0BD58, JJH48-ARIN
On Feb 23, 2017, at 16:40, Ricky Beam <jfbeam@gmail.com> wrote:
On Thu, 23 Feb 2017 15:03:34 -0500, Patrick W. Gilmore < patrick@ianai.net> wrote: More seriously: The attack (or at least as much as we can glean from the blog post) cannot find a collision (file with same hash) from an arbitrary file. The attack creates two files which have the same hash, which is scary, but not as bad as it could be.
Exactly. This is just more sky-is-falling nonsense. Of course collisions exist. They occur in every hash function. It's only marginally noteworthy when someone finds a collision. It's neat the Google has found a way to generate a pair of files with the same hash -- at colossal computational cost! However this in no way invalidates SHA-1 or documents signed by SHA-1. You still cannot take an existing document, modify it in a meaningful way, and keep the same hash.
[Nor can you generate a blob to match an arbitrary hash (which would be death of all bittorrent)]