Interesting Links for 25-02-2017

[andrewducker]

How would Git handle a SHA-1 collision on a blob? (tags: git security ) Scottish Labour conference delegates back federal UK motion (tags: uk reform labour ) Do Cats Cause Schizophrenia? Believe the Science, Not the Hype (tags: cats research ToxoplasmaGondii schizophrenia ) Meanwhile, At The Fembot Factory (so very nsfw) (tags: nsfw sex design

Comments

Subversion and SHA-1

[fanf]

Practically every Git user knows it fundamentally relies on SHA-1, but we also know it will take another 6000 CPU-years to break git. But fewer people knew that Subversion also relies on SHA-1 for deduplication, and because (unlike git) it does not prefix files before hashing them, Subversion is trivially vulnerable to denial of service by the published SHA-1 collision.

I have been unreasonably (and unkindly) amused by this over the last couple of days.

I posted some details and links on hacker news at https://news.ycombinator.com/item?id=13726121

Re: Subversion and SHA-1

[andrewducker]

I'm glad that they've got a hook up and running as a quick fix.

I wonder if similar things will work for Git.

Re: Subversion and SHA-1

[fanf]

The svn hook script relies on spotting the only known SHA-1 collision, so it is no good for protecting against hypothetical future collisions which might break git.

AIUI the software Google used to generate the collision can also analyse the inner state of SHA-1 to detect when it is being tickled in a dangerous way; maybe that can be adapted as a safety belt, if its false positive rate is low enough. Dunno.

But the long term fix (for both git and svn) is proper hash agility, but this is much harder for git than svn.

RE: Re: Subversion and SHA-1

[andrewducker]

Bugger, I hadn't actually spotted that it was comparing to a Known Bad list.

Oh well, onwards to a better hashing system it is!

[artkouros]

Fembot factory seems surprisingly low tech. I wonder if it helps to be a sociopath to work there?