On Mon, Jul 18, 2016 at 7:48 PM, Herczeg Zsolt <zsolt94@xxxxxxxxx> wrote: >> In particular, as far as I know and as Theodore Ts'o's post describes >> better than I could[1], you seem to be confusing preimage attacks with >> collision attacks, and then concluding that because SHA1 is vulnerable >> to collision attacks that use-cases that would need a preimage attack >> to be compromised (which as far is I can tell, includes all your >> examples) are also "broken". > > I understand the differences between the collision and preimage > attacks. Fair enough. The rest of your E-Mail certainly shows that you do, and I didn't know enough anything about GitTorrent and this case where it's vulnerable to collission attacks. But I didn't get that impression from your initial E-Mail which outright said said: Git signed tags and signed commits are cryptographically insecure, they're useless at the moment. It's important that those of us who *do* understand the difference between collision and preimage attacks carefully phrase things, least they turn into FUD. Your initial E-Mail does *not* make it sound like you're just talking about the cases where someone's provided you with a crafted blob that you've been tricked into signing, but rather makes it sound like signed tags & commits are just categorically broken, even for preimage attacks, which is not the case. The reality of the current situation is that it's largely mitigated in practice because: a) it's hard to hand someone a crafted blob to begin with for reasons that have nothing to do with SHA-1 (they'll go "wtf is this garbage?") b) even in that case it's *very* hard to come up with two colliding blobs that are *useful* for some nefarious purpose, e.g. a program A that looks normal being replaced by an evil program B with the same SHA-1. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html