New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
SHA1 is Shattered
This discussion has been closed.
Comments
Guys
SHA256
just use it
shasum -a 256 filenameto get a sumdebate done
Nope not cheeky but grinningly persiflaging those who run around like headless chicken in panic.
And: Sure, a successful collision attack on any cryptographically used or used in sensitive areas hash is always a serious matter.
However:
While I fully agree with Google and, particularly considering what kind kind of computing is available even in mobile telephones nowadays, also strongly advise to upgrade to better hashing ... this is NOT A DESASTER.
Why? Because of where and how Sha1 is used. The most grave problem is Sha1 hashed certs, because this attack means that one can, with considerable resources, create fake certs. That said, I personally know of no CA still using Sha1 (I might be wrong, though; I'm not in any way deep into CAs).
Another collision related problem is on the fly hashing as is often used in tls channels. This danger, however, is very, very low for two reasons: 1) The session will be dead since days once someone managed to fake a single network packet. 2) For that to work one needed to have the session encryption broken in the first place.
And finally passwords. That is somewhat in the middle. On the one hand passwords are usually relatively long lived (i.e. much longer than the attack needs) but on the other hand they are always salted and the attack doesn't address that at all plus to break passwords one needed to break irreversibility (rather collision resistance). So I'm not worried.
First off, no one is going around like headless chickens in panic, that is you and only you conflating what you disagree with.
Secondly, it's massively dangerous to assume that you know every case where someone would use SHA-1 encryption. You only cite examples you can think of. Quite simply, the correct response is to us an alternate algorithm.
@ricardo
Yet another funny guy trying it? Try your mindless bullshitting with someone else. I'm not the right man for that. Unlike you I don't just quote and re-blabber but I actually know what I'm talking about.
No headless chickens in panic? Obviuosly you missed quite some headlines and feel self-important enough to know better than renowned experts who also wrote what I said (albeit more polite).
@bsdguy, you come across a guy that has X years experience of something that thinks he knows everything.
I'm quoting specifically you. You, projecting that people are naively talking about this subject, and you aren't.
Honestly, someone that says "nothing in C can be scientifically proven" is someone who talks out their arse.
@ricardo
"nothing in C can be scientifically proven"
Are you now desperate enough to invent things?
I did not say that. What I said is that C code can not be proven correct as there are ambiguities in the language.
Obviously you don't have the slightest idea what you are talking about and have never looked at the source of a parser, let alone at static verification.
I come around as someone who thinks he knows everything? Well, maybe that's because I do know what I'm talking about and don't have a big snout like you regarding fields I don't know much about?
You said so yourself, in an earlier post, muppet. Can you not stand by the stuff you post?
What on earth are you on about? C compiles to machine code, like every other language. Surely it comes down to mathematical axioms and considering that C is a turing complete language, your statement makes fuck all sense, in the context you say it.
No bother, prissy boy. I am pretty much indifferent until someone plays the big shot... clearly you are at the limits of what you know and making it up as you go along. Talk all you like, disinterested.
@ricardo
Wow, doggy gets pissed and tries insulting me. Doesn't work though.
As for my statement: Bring the quote.
"What on earth are you on about? C compiles to machine code, like every other language. Surely it comes down to mathematical axioms and considering that C is a turing complete language, your statement makes fuck all sense, in the context you say it."
A terriers way to say that he doesn't have the slightest clue what he is talking about.
You see, you seem to be used getting your way because you are insisting and stubborn like a terrier. Won't work with me.
I know those social rules, "let live", "let the other side keep their face", and I usually value them and make sure that the other side has a chance to get out cheaply and without losing their face.
You, however, terrier, had plenty chances and stupidly chose to bet on chuzpah and stubborness. You asked for it, terrier.
Yeah, it's a vague form of attention seeking, I get it.
@ricardo
Oh, terrier, you really do get nothing, really nothing. You seriously think I'm looking for your attention? Hahaha. It's the contrary, terrier!
You're a waffler that's clearly outspoken. How about sticking to what you know instead of making an arse of yourself.
@ricardo
As much as I commend your good will, mirror talking won't solve your problem, terrier.
And, you see, I'm very calmly leaving it to the other readers to judge your and my level of knowledge
Man, those timestamps:
1335 @bsdguy
1342 @ricardo
1400 @bsdguy
1415 @ricardo
1433 @bsdguy
1438 @ricardo
1444 @bsdguy
1447 @ricardo
1451 @bsdguy
1454 @ricardo
1503 @bsdguy
I fear we're going to blow apart, so I'm deploying the air brakes.
tl;dr: SHA-256 and debian, thx.