Finally a SHA-1 collision. TL;DR: same-prefix collision, don't panic *yet*, but Git better start thinking of SHA-256 and don't trust PDFs.
-
Similarly, you could make two colliding binaries and have them behave differently, but the "evil" code would have to exist in both.
This is the last nail in the "but it isn't broken yet" excuse to keep using SHA-1, so if you haven't *started* migrating yet, start *now*.
-
-
Hash attacks 101: preimage=any clean file; chosen prefix=64b of junk in otherwise clean known file; same prefix=both files evil.
-
preimage=we're screwed (not even MD*2* is preimage-broken); chosen prefix=Flame, git totally broken; same prefix=git safe-ish for code.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.