Feb. 26th, 2017

scottobear: (Default)


My takeaway from all that – the git project is internally taking steps to mitigate vulnerabilities from this particular attack (making it harder to insert the arbitrary binary data necessary into git metadata), but a) is just throwing up their hands at the problem of projects that store binary blobs like image data in their repos, and b) is not taking this as a signal that more serious sha-1 attacks are on the horizon and they should speed up their hash-replacement efforts.

This latter leads into the problems with Linus’ positions in particular. In that thread, does not take seriously the threats that this poses to the broader git userbase, because he only seems to care about the kernel use-case: trusted hosting infrastructure at kernel.org (itself an iffy assumption, given previous hacks and the use of mirrors), and the exclusive storage of human-readable text in the repo which makes binary garbage harder to sneak in. These do not apply to most users of git. His rather extreme public position (paraphrased, “our security doesn’t depend on SHA1”) is even more troubling – it absolutely does depend on SHA1, this just isn’t (yet) a strong enough attack to absolutely screw over the kernel. A stronger collision attack (eg a chosen-prefix as opposed to identical-prefix, or godforbid a pre-image attack) would absolutely invalidate the whole git security model.

Originally published at The Scotto Grotto (org). You can comment here or there.

scottobear: (Default)

Check In: Profit and Loss, Part 1: Profit (1974)


Originally published at The Scotto Grotto (org). You can comment here or there.


scottobear: (Default)
scott von berg

April 2017

2 345678
9 10 11 12 13 14 15
16 1718 19 20 21 22
23 2425 26 2728 29

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jun. 26th, 2017 10:30 pm
Powered by Dreamwidth Studios