It's actually pretty serious in Git and the banking markets where there is high usage of sha1. Considering the wide adoption of Git, this is a pretty serious issue that will only become worse ten-fold over the years. Visible abuse will not be near as widely seen as the initial shattering but escalate over much longer periods.
Take it serious ? Why wouldn't you !? -- Onward!, Jason Hellenthal, Systems & Network Admin, Mobile: 0x9CA0BD58, JJH48-ARIN On Feb 23, 2017, at 16:40, Ricky Beam <jfb...@gmail.com> wrote: > On Thu, 23 Feb 2017 15:03:34 -0500, Patrick W. Gilmore <patr...@ianai.net> > wrote: > More seriously: The attack (or at least as much as we can glean from the blog > post) cannot find a collision (file with same hash) from an arbitrary file. > The attack creates two files which have the same hash, which is scary, but > not as bad as it could be. Exactly. This is just more sky-is-falling nonsense. Of course collisions exist. They occur in every hash function. It's only marginally noteworthy when someone finds a collision. It's neat the Google has found a way to generate a pair of files with the same hash -- at colossal computational cost! However this in no way invalidates SHA-1 or documents signed by SHA-1. You still cannot take an existing document, modify it in a meaningful way, and keep the same hash. [Nor can you generate a blob to match an arbitrary hash (which would be death of all bittorrent)]
