Finally a SHA-1 collision. TL;DR: same-prefix collision, don't panic *yet*, but Git better start thinking of SHA-256 and don't trust PDFs.
Remember, this SHA1 attack is *not* the attack that broke MD5 TLS certs and gave us Flame. *This* attack on MD5 you can run on a smartphone.
-
-
This SHA1 attack does NOT allow you to collide an innocent-looking file with a malicious file. You need TWO blatantly malicious files.
-
... of course, if nobody's looking at the hex dump, one of those files might not look malicious when you open it. Hence the PDF trick.
- Show replies
New conversation -
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.