Re: How safe are signed git tags? Only as safe as SHA-1 or somehow safer?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi, I wanted to chime in on the topic of SHA1 weaknesses and breaks. The problem is idea that SHA1 breaks are theoretical and will only be relevant in a decade or two.

I think its a telling sign when even companies like Google [1] and Microsoft [2] who collaborate with spy agencies are moving away from SHA1 in verifying browser certs and the estimates by reputable cryptographers already put us in the realm of feasible breaks at this time, with the bar going lower with every passing year [3]. In three years common cyber criminals will be able to crack it using moderate sized computer clusters or by renting some AWS cycles.

Please reconsider the urgency of moving away from SHA1 for security functions in Git.


References:

[1] http://thenextweb.com/google/2014/09/05/google-will-start-sunsetting-sha-1-cryptographic-hash-algorithm-chrome-month-finish-q1-2015/

[2] https://www.schneier.com/blog/archives/2013/11/microsoft_retir.html (Schneier on Security: Microsoft Retiring SHA-1 in 2016)

[3] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html (When Will We See Collisions for SHA-1?)
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]