From: bancfc@openmailbox.org
To: git@vger.kernel.org
Subject: Re: How safe are signed git tags? Only as safe as SHA-1 or somehow safer?
Date: Mon, 24 Nov 2014 00:52:42 +0000 [thread overview]
Message-ID: <6246f36ca7006d29b97f2e453c9e52c8@openmailbox.org> (raw)
Hi, I wanted to chime in on the topic of SHA1 weaknesses and breaks. The
problem is idea that SHA1 breaks are theoretical and will only be
relevant in a decade or two.
I think its a telling sign when even companies like Google [1] and
Microsoft [2] who collaborate with spy agencies are moving away from
SHA1 in verifying browser certs and the estimates by reputable
cryptographers already put us in the realm of feasible breaks at this
time, with the bar going lower with every passing year [3]. In three
years common cyber criminals will be able to crack it using moderate
sized computer clusters or by renting some AWS cycles.
Please reconsider the urgency of moving away from SHA1 for security
functions in Git.
References:
[1]
http://thenextweb.com/google/2014/09/05/google-will-start-sunsetting-sha-1-cryptographic-hash-algorithm-chrome-month-finish-q1-2015/
[2] https://www.schneier.com/blog/archives/2013/11/microsoft_retir.html
(Schneier on Security: Microsoft Retiring SHA-1 in 2016)
[3] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
(When Will We See Collisions for SHA-1?)
next reply other threads:[~2014-11-24 1:01 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-24 0:52 bancfc [this message]
-- strict thread matches above, loose matches on Subject: below --
2014-11-16 15:31 How safe are signed git tags? Only as safe as SHA-1 or somehow safer? Patrick Schleizer
2014-11-17 21:26 ` Jeff King
2014-11-21 23:01 ` Patrick Schleizer
2014-11-21 23:32 ` Jason Pyeron
2014-11-22 19:48 ` Jeff King
2014-11-22 19:43 ` Jeff King
2014-11-25 12:59 ` Fedor Brunner
2014-11-24 1:23 ` Duy Nguyen
2014-11-24 10:15 ` Michael J Gruber
2014-11-24 11:44 ` Duy Nguyen
2014-11-25 10:41 ` Duy Nguyen
2014-11-24 15:51 ` Jeff King
2014-11-24 18:14 ` Nico Williams
2014-11-25 1:16 ` Duy Nguyen
2014-11-25 1:23 ` Jonathan Nieder
2014-11-25 1:52 ` Duy Nguyen
2014-11-25 3:40 ` Stefan Beller
2014-11-25 3:47 ` Jeff King
2014-11-25 10:55 ` Duy Nguyen
2014-11-25 17:23 ` Junio C Hamano
2014-11-25 11:07 ` brian m. carlson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6246f36ca7006d29b97f2e453c9e52c8@openmailbox.org \
--to=bancfc@openmailbox.org \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).