[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Libreboot] Git clone authentication

From: Guilhem Moulin
Subject: Re: [Libreboot] Git clone authentication
Date: Fri, 26 Aug 2016 02:58:09 +0200
User-agent: Mutt/1.6.2-neo (2016-08-08)


On Sat, 20 Aug 2016 at 10:11:42 +0100, Leah Rowe wrote:
> sha1 was broken afaik, I don't remember the link but I was reading
> about it. Whether it's practical in practise to mitm accesses to the
> git repository I don't know. We do have other repos available listed
> on thegit page on, some of which have https

I don't mean to discourage you from frowning at SHA-1 for some
applications, but if an attacker were to swap an object in the Git tree
by a (malicious) one with the same hash, they would have to mount a not
a collision attack but a second-preimage attack against SHA-1.  While
there is suspicion that the former are approaching feasibility for
well-funded adversaries, AFAIK SHA-1 is as second-preimage resistant as

By the way, I can't resist pointing out that the e-mail I'm replying to
is actually signed using SHA-1 as digest algorithm; so it the SHA512SUMS
file in the 20160816 libreboot release :-P  (But here again, achieving
impersonation through an attack on the digest algorithm requires a
second-preimage attack, not a collision attack.)


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]