Comments (9)
smoriarty21
commented on August 20, 2024
1
You do realize the site you linked me says right on it that this has never happened in the wild right? I just feel like your time would have been much better spent switching to sha-256. I'm still standing strong on my statement that this was a useless waste of time.
**From shattered.io:
How widespread is this?
As far as we know our example collision is the first ever created.
Has this been abused in the wild?
Not as far as we know.**
from sha1collisiondetection.
drhsqlite
commented on August 20, 2024
1
I'm probably replying to a troll, but here goes....
(1) Once you find a single SHA1 collision pair, it is trivial to find
billions more.
(2) The SHA1 collision pair announced by Google et. al. has been
abused in the wild on software that I maintain. SHA3-256 is an option
for that software, and is the default on newer instances, but SHA1
must continue to be supported for legacy.
(3) I (for one, and I assume there are many others) am *immensely*
grateful to Marc for making his most excellent Hardened-SHA1 available
under a generous license as it allows me to continue to support legacy
without worrying about SHA1 collision attacks.
(4) Why are you being so mean? Go back under your bridge!
…On 3/22/17, Sean Moriarty ***@***.***> wrote:
You do realize the site you linked me says right on it that this has never
happened in the wild right? I just feel like your time would have been much
better spent switching to sha-256. I'm still standing strong on my
statement that this was a useless waste of time.
**From shattered.io:
How widespread is this?
As far as we know our example collision is the first ever created.
Has this been abused in the wild?
Not as far as we know.**
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
#22 (comment)
--
D. Richard Hipp
[email protected]
from sha1collisiondetection.
shumow
commented on August 20, 2024
1
Hi Sean, thanks for your interest in our project. We saved so much of our discretionary time by not trolling random people that we were able to spend it on this work.
from sha1collisiondetection.
smoriarty21
commented on August 20, 2024
1
I'll take the troll hat off for a second and ask for an education here as there is clearly something I am missing. How does finding one SHA1 collision make it trivial to find billions more(again I was trolling but am not longer and genuinely want to understand this issue). Also I know this was a very trollish issue for me to open but it is a genuine question. You guys keep saying that you have seen these in the wild but you seem to be the only people in the world claiming this. I just feel like (and id love to be wrong here) this is not as big of an issue as you are making it seem. I feel that very few people have access to enough computing power to replicate this. Again thanks for the education and sorry if I still sounds like a troll but I'm very curious
from sha1collisiondetection.
TheBlueMatt
commented on August 20, 2024
It has happened in the wild, see https://shattered.io
…On March 21, 2017 1:23:51 PM PDT, Sean Moriarty ***@***.***> wrote:
How many dev hours did you put into finding something that has never
actually happened in the wild and has an astronomically low chance of
happening?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
#22
from sha1collisiondetection.
cr-marcstevens
commented on August 20, 2024
Actually, less than my dev hours into making an actual SHA-1 collision.
But you're wrong saying it never happened so far and that a new one has astronomically low chance. It's costly, but not that costly.
I'm closing this non-issue.
from sha1collisiondetection.
cr-marcstevens
commented on August 20, 2024
You do notice the caveat: as far as we know, moreover only up to now.
So whats wrong with some real protection for the short term future while longer term migration to SHA-2 is underway?
Moreover, how about all those SHA-1 signatures out there that can't be replaced.
What do you think is better: do we trust all those old SHA-1 signatures, or revoke them all, or do we check for forgeries with this?
from sha1collisiondetection.
cr-marcstevens
commented on August 20, 2024
The thing is: we just collided a 320-byte PDF prefix without any content so far. So now anyone can make billions of colliding PDF file pairs with their own chosen content, and apply those in the wild! Any one of those PDF pairs can be used to break subversion repositories as found out by WebKit, i.e. unless the admins took special SHA-1 collision precautions.
from sha1collisiondetection.
smoriarty21
commented on August 20, 2024
Thanks for the info Marc! Now this is starting to make more sense to me
from sha1collisiondetection.
Related Issues (20)
- Makefile not portable HOT 13
- Tag for release HOT 2
- Will not detect git collision? HOT 1
- Example in Readme needs an update HOT 2
- Does not work with Checkinstall HOT 1
- Remove unneeded buffers from context.
- Added to Blackarch HOT 1
- big endian detection fails on stock Apple compilers (gcc 4.2 and less) on PPC HOT 2
- AIX and xlc: no rule to make target 'dep_lib/ubc_check.d', needed by 'obj_lib/ubc_check.lo' HOT 5
- Please make unaligned access configurable HOT 8
- [RESEARCH] How to make it widespread HOT 2
- document shambles detection status HOT 3
- Please provide the tools and data files to generate lib/ubc_check.[ch] HOT 1
- Document the "safe hash" algorithm used when a collision is detected HOT 1
- How safe is "safe hash"? HOT 4
- Online file tester broken
- Timing safety HOT 14
- Dead link to oracle.com HOT 1
- Potentially dead code in `ubc_check.h` HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sha1collisiondetection.