Michael Catanzaro wrote: > SHA-1 is blocked in certificate signatures because those can be > attacked offline. Signatures in the TLS handshake are entirely > different. I'm hardly an expert, but I think the attacker only has a > few seconds to generate a hash collision before the user gives up and > closes the browser tab. Spending several months trying to find a > collision is not an option here. Am I wrong?
Probing the server repeatedly I get the same value in the Pubkey field several times in a row. Some time later the value changes. The server seems to replace the key every few hours or days. The Signature field is different every time though. Thus I'm not sure whether the attacker's time limit is the lifetime of the key (which Fedora can't control) or the TCP timeout. Björn Persson
pgptnItUABZ9M.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
