Finally a SHA-1 collision. TL;DR: same-prefix collision, don't panic *yet*, but Git better start thinking of SHA-256 and don't trust PDFs.
-
... of course, if nobody's looking at the hex dump, one of those files might not look malicious when you open it. Hence the PDF trick.
Similarly, you could make two colliding binaries and have them behave differently, but the "evil" code would have to exist in both.
-
-
This is the last nail in the "but it isn't broken yet" excuse to keep using SHA-1, so if you haven't *started* migrating yet, start *now*.
-
Hash attacks 101: preimage=any clean file; chosen prefix=64b of junk in otherwise clean known file; same prefix=both files evil.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.