SHA-1 collision alert!
But Linus Torvalds doesn’t think it’s a big deal.
SHA-1, also known as Secure Hash Algorithm 1, is a popular cryptographic hashing function created in 1995 by the NSA. However its future is now in doubt after Google and the CWI Institute Amsterdam announced they had launched the first ever successful SHA-1 collision attack. SHA-1 was designed to turn any input message (such as a specific file or website certificate) into a long string of numbers and letters that can be used as a fingerprint to confirm that the file is genuine. In their release (see
http://bit.ly/2moNUQB), Google and the CWI Institute revealed that they managed to create two PDFs that had identical SHA-1 hashes, but contained different content. Malicious users could use a ‘collision’ like this to deceive systems that use the hashes into accepting a malicious file. This strengthens Google’s argument to move to a more secure alternative such as SHA-256. However, in a public statement on the Google+ social network, Linus Torvalds explained why he wasn’t too concerned. He goes into some detail (see http://bit.ly/2mioyIj), but the gist is that the world isn’t going to end over this, and that there is a difference “between using a cryptographic hash for things like security signing, and using one for generating a ‘content identifier’ for a content-addressable system like Git”, and that Google’s particular SHA-1 attack is easily protected against. In the end, Torvalds argues that breaking SHA-1 won’t break Git. Will other people still see SHA-1 as a viable solution? Time will tell.