On Feb 23, 2017, at 2:59 PM, Ca By <cb.li...@gmail.com> wrote: > On Thu, Feb 23, 2017 at 10:27 AM Grant Ridder <shortdudey...@gmail.com> wrote: > >> Coworker passed this on to me. >> >> Looks like SHA1 hash collisions are now achievable in a reasonable time >> period >> https://shattered.io/ >> >> -Grant > > > Good thing we "secure" our routing protocols with MD5
MD5 on BGP considered Harmful. > :) :-) More seriously: The attack (or at least as much as we can glean from the blog post) cannot find a collision (file with same hash) from an arbitrary file. The attack creates two files which have the same hash, which is scary, but not as bad as it could be. For instance, someone cannot take Verisign’s root cert and create a cert which collides on SHA-1. Or at least we do not think they can. We’ll know in 90 days when Google releases the code. -- TTFN, patrick
