I'm pretty sure the world at large knows we should be moving to at least SHA-256; but now that this has broken, let us hope that we move faster.
We should also be lookign at SHA3 and other hashing algorithms, who knows maybe SHA-256 collisions will be found
4 Likes
Agreed. Every algorithm should be put under a microscope.
2 Likes
Since git is using SHA1 as well, I was wondering if it's possible to compile git with SHA256 instead of SHA1.
I know that it's not as big of a deal when it comes to git commits, but I am just curious about the software. ;-)
I'm sure there's a patch for it, but it would be completely incompatible with any non-SHA256 compiled client/service.
That's true, but if someone wanted to be extra safe, he could build his own infrastructure with his version of git. Maybe for internal use in a company this might be viable.
Or he could keep a copy of the repos with SHA1 at the same time. ;-)
2 Likes
At least now there exists concrete proof that it is no longer secure. SHA256 all the way now.
2 Likes
I doubt there will be a patch for it.
The breakthrough was mathematical, not an implementation exploit.
Hence why google says put this old method to rest along side MD5.
I don't understand why anyone would still be using SHA-1 when SHA-3 has existed for nearly a decade and 2's been around even longer.
1 Like
I feel that there is little reason for anyone to not use stronger hashing algorithms. Even if it took 22 years for the first collision of SHA-1. We should always be using stronger hashing algorithms when they become available for use.
1 Like
you guys know you need a gpu farm or a sizeable botnet and be the originator of the hash for this attack to work, right?
not saying we shouldn't use better algos, but this means very little in practical terms
Depending how the hash is being used, yes. But the way Google did it, you do not need that at all. In fact anyone can do this for free.