Finally a SHA-1 collision. TL;DR: same-prefix collision, don't panic *yet*, but Git better start thinking of SHA-256 and don't trust PDFs.
-
This SHA1 attack does NOT allow you to collide an innocent-looking file with a malicious file. You need TWO blatantly malicious files.
... of course, if nobody's looking at the hex dump, one of those files might not look malicious when you open it. Hence the PDF trick.
-
-
Similarly, you could make two colliding binaries and have them behave differently, but the "evil" code would have to exist in both.
-
This is the last nail in the "but it isn't broken yet" excuse to keep using SHA-1, so if you haven't *started* migrating yet, start *now*.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.