Author: Roy Badami 2013-04-01 22:54:17
Published on: 2013-04-01T22:54:17+00:00
The conversation thread begins with Roy Badami's post about a possible collision attack that can create two messages with the same hash, resulting in one good and one bad commit. However, he maintains that if someone intends to insert malicious code into the repo, they would do it through social engineering rather than breaking the crypto. Melvin Carvalho agrees with Roy's point and adds that there are other threats besides SHA1 attacks, such as github being compromised or core developers' passwords being compromised. Melvin then shares his concerns about a potential attack vector based on git's relatively weak SHA1. He wonders whether an innocuous pull request could generate another file with a backdoor/nonce combination that goes unnoticed. Petr Praus replies to this concern, saying that the threat of a SHA1 collision attack to insert a malicious pull request is tiny compared to other threats. He explains that to find a collision between two specific pieces of code, an attacker needs hashing power beyond the current capabilities. Roy clarifies that the attack Schneier is talking about is a collision attack, not a second preimage attack, which is required to create a message that hashes to the same value as an existing message. He adds that the attack has nothing to do with the birthday paradox, which relates to the chance of eventually finding two messages that hash to the same value by pure chance. The conversation ends with a contest announcement.
Updated on: 2023-06-06T11:31:35.820059+00:00