[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Libreboot] Git clone authentication
|
From: |
Guilhem Moulin |
|
Subject: |
Re: [Libreboot] Git clone authentication |
|
Date: |
Fri, 26 Aug 2016 02:58:09 +0200 |
|
User-agent: |
Mutt/1.6.2-neo (2016-08-08) |
Hi,
On Sat, 20 Aug 2016 at 10:11:42 +0100, Leah Rowe wrote:
> sha1 was broken afaik, I don't remember the link but I was reading
> about it. Whether it's practical in practise to mitm accesses to the
> git repository I don't know. We do have other repos available listed
> on thegit page on libreboot.org, some of which have https
I don't mean to discourage you from frowning at SHA-1 for some
applications, but if an attacker were to swap an object in the Git tree
by a (malicious) one with the same hash, they would have to mount a not
a collision attack but a second-preimage attack against SHA-1. While
there is suspicion that the former are approaching feasibility for
well-funded adversaries, AFAIK SHA-1 is as second-preimage resistant as
ever.
By the way, I can't resist pointing out that the e-mail I'm replying to
is actually signed using SHA-1 as digest algorithm; so it the SHA512SUMS
file in the 20160816 libreboot release :-P (But here again, achieving
impersonation through an attack on the digest algorithm requires a
second-preimage attack, not a collision attack.)
Cheers,
--
Guilhem.
signature.asc
Description: PGP signature