So many people are getting the SHA1 story wrong. With the collision that Google released, *anyone* can create colliding PDFs for *free*.
You can take the two sets of 320 bytes that were published, append *anything* to both sets, and they will still have the same hash.
-
-
Due to the way the prefix was crafted and the way the PDF format works, this allows you to make two PDF files with different contents.
-
but I could already make two pdf files with different contents!
- Show replies
New conversation -
-
-
I now feel a need to look into sha-1...320bytes...hmm research time
-
SHA1 just processes the input in blocks. Once the state is the same, same input will change it in the same way.
- Show replies
New conversation -
-
-
@erdgeist but so what? You can't append two different something's. You get their difference, not a difference you want. -
You can append a cleverly crafted same something that will be interpreted completely differently in each file.
End of conversation
New conversation -
-
-
So, does it require that you be producing both files, then? You can't collide w an existing file?
-
Correct.
End of conversation
New conversation -
-
-
@thegrugq yes, but it has to be the same anything to both files. Which makes it more useful for vandalism than for fraud. -
You could have one document digitally signed, then swap it with another one.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.