Author: Melvin Carvalho 2013-04-01 22:27:51
Published on: 2013-04-01T22:27:51+00:00
The discussion on the Bitcoin-development mailing list in April 2013 centered around the potential threat of a SHA1 collision attack to insert a malicious pull request. However, there were several other threats that were considered more significant, such as the compromise of GitHub or sourceforge, core developers' passwords being compromised, or one of the core developers going rogue. The participants agreed that peer review and vigilance were necessary to keep the project secure. Petr Praus argued that a SHA-1 collision attack was not a feasible attack vector. He explained that finding a collision between two specific pieces of code was much harder than finding any two arbitrary values that hash to the same value. Melvin Carvalho expressed his concern about the use of relatively weak SHA1 in Git and whether it could lead to an attack vector where a seemingly innocuous pull request generates another file with a backdoor/nonce combination that slips under the radar. Will estimated the amount of hashing power required for such an attack and suggested that the community should focus on peer review and keeping an eye out for suspicious commits to mitigate the risk.
Updated on: 2023-06-06T11:29:09.576334+00:00