Hi, I wanted to chime in on the topic of SHA1 weaknesses and breaks. The
problem is idea that SHA1 breaks are theoretical and will only be
relevant in a decade or two.
I think its a telling sign when even companies like Google [1] and
Microsoft [2] who collaborate with spy agencies are moving away from
SHA1 in verifying browser certs and the estimates by reputable
cryptographers already put us in the realm of feasible breaks at this
time, with the bar going lower with every passing year [3]. In three
years common cyber criminals will be able to crack it using moderate
sized computer clusters or by renting some AWS cycles.
Please reconsider the urgency of moving away from SHA1 for security
functions in Git.
References:
[1]
http://thenextweb.com/google/2014/09/05/google-will-start-sunsetting-sha-1-cryptographic-hash-algorithm-chrome-month-finish-q1-2015/
[2] https://www.schneier.com/blog/archives/2013/11/microsoft_retir.html
(Schneier on Security: Microsoft Retiring SHA-1 in 2016)
[3] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
(When Will We See Collisions for SHA-1?)
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html