from Hacker News

We have broken SHA-1 in practice

by shizcakes on 2/23/17, 1:04 PM with 23 comments

  • by merricksb on 2/23/17, 1:30 PM

  • by mshenfield on 2/23/17, 1:22 PM

    StackOverflow post explaining how Git would handle a SHA-1 collision

    http://stackoverflow.com/questions/9392365/how-would-git-han...

  • by singularity2001 on 2/23/17, 1:20 PM

    > Here are some numbers that give a sense of how large scale this computation was:

        Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
    6,500 years of CPU computation to complete the attack first phase
    110 years of GPU computation to complete the second phase
    So no need to panic or urgently switch, but time to slowly transition

  • by ktta on 2/23/17, 1:09 PM

    I removed this comment from here, and posted it here:

    https://news.ycombinator.com/item?id=13713557

  • by Charged_Buffalo on 2/23/17, 1:24 PM

    Well, looks like this guy was wrong: https://lwn.net/Articles/307281/

    Copy-pasting for posterity:

      I've been informed by the git Gods that the chances of a
  SHA1 collision is the same as the Earth being sucked up into 
  the black hole created by the CERN accelerator. If this is 
  indeed true, then there's no need for that extra memcmp.

  • by seycombi on 2/23/17, 1:19 PM

    >...That means Git and unknown number of other widely used services that rely on SHA1 have THREE MONTHS to wean themselves and their users off the insecure function

    https://arstechnica.com/security/2017/02/at-deaths-door-for-...

  • by mckoss on 2/23/17, 1:28 PM

    Computing a collision today costs about $100K from my reading of the paper. So most uses of SHA1 are protecting documents of far lower value, and would not be likely attack targets (today).

  • by rpdillon on 2/23/17, 5:11 PM

    I can't tell from the various sites that have covered this, but it seems this is faster brute force attack (much faster), but not a preimage attack. Am I reading this correctly?

  • by djhworld on 2/23/17, 1:26 PM

    Can someone explain how they made the two PDFs cause the same hash, I feel that's the bit that's missing from the explanation

  • by mtgx on 2/23/17, 1:23 PM

    I knew Google "knew something" about SHA-1 being vulnerable to collisions when it announced the aggressive timeline for deprecating SHA-1 support.

    They got a lot of flak for trying to deprecate it "so early". It's nice to see them proving everyone wrong on this.

  • by necessity on 2/23/17, 1:22 PM

    > If you use Chrome, you will be automatically protected from insecure TLS/SSL certificates, and Firefox has this feature planned for early 2017.

    No need to wait. The option to reject SHA-1 certificates on Firefox is `security.pki.sha1_enforcement_level` with value `1`.

    https://blog.mozilla.org/security/2016/01/06/man-in-the-midd...

    Other configs worth doing:

    `security.ssl.treat_unsafe_negotiation_as_broken` to `true` and `security.ssl.require_safe_negotiation` to `true` also. Refusing insecure algorithms (`security.ssl3.<alg>`) might also be smart.