|
From: | graydon hoare |
Subject: | [Monotone-devel] Re: SHA-1 Broken |
Date: | Tue, 15 Feb 2005 23:49:44 -0500 |
User-agent: | Mozilla Thunderbird 1.0 (X11/20041206) |
Dean Kusler wrote:
I'm sure many of y'all have already seen this, but I hadn't seen it posted to the list yet. Preliminary details on Bruce Schneier's blog.http://www.schneier.com/blog/archives/2005/02/sha1_broken.htmlOf course, collision attacks probably aren't that important for Monotone's use of SHA-1, since you'd need to have a malicious person with write access to your database, in which case you're probably screwed anyways.
you'd also need an attacker wealthy enough to scrape up 2^69 work units, in which case you're also probably screwed anyways.
but we should, as a matter of courtesy, update our standard hash to something stronger soon. as soon as there's a community consensus about which hash in particular represents "something stronger".
it's worth noting that any competing system which uses digital signatures as a security mechanism is equally weakened by this exciting development.
-graydon
[Prev in Thread] | Current Thread | [Next in Thread] |