Big Issue

[smoriarty21]

How many dev hours did you put into finding something that has never actually happened in the wild and has an astronomically low chance of happening?

[TheBlueMatt]

It has happened in the wild, see https://shattered.io

On March 21, 2017 1:23:51 PM PDT, Sean Moriarty notifications@github.com wrote:

How many dev hours did you put into finding something that has never actually happened in the wild and has an astronomically low chance of happening?

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/cr-marcstevens/sha1collisiondetection/issues/22

[cr-marcstevens]

Actually, less than my dev hours into making an actual SHA-1 collision.

But you're wrong saying it never happened so far and that a new one has astronomically low chance. It's costly, but not that costly.

I'm closing this non-issue.

[smoriarty21]

You do realize the site you linked me says right on it that this has never happened in the wild right? I just feel like your time would have been much better spent switching to sha-256. I'm still standing strong on my statement that this was a useless waste of time.

**From shattered.io: How widespread is this? As far as we know our example collision is the first ever created.

Has this been abused in the wild? Not as far as we know.**

[drhsqlite]

I'm probably replying to a troll, but here goes....

(1) Once you find a single SHA1 collision pair, it is trivial to find billions more.

(2) The SHA1 collision pair announced by Google et. al. has been abused in the wild on software that I maintain. SHA3-256 is an option for that software, and is the default on newer instances, but SHA1 must continue to be supported for legacy.

(3) I (for one, and I assume there are many others) am immensely grateful to Marc for making his most excellent Hardened-SHA1 available under a generous license as it allows me to continue to support legacy without worrying about SHA1 collision attacks.

(4) Why are you being so mean? Go back under your bridge!

On 3/22/17, Sean Moriarty notifications@github.com wrote:

You do realize the site you linked me says right on it that this has never happened in the wild right? I just feel like your time would have been much better spent switching to sha-256. I'm still standing strong on my statement that this was a useless waste of time.

**From shattered.io: How widespread is this? As far as we know our example collision is the first ever created.

Has this been abused in the wild? Not as far as we know.**

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/cr-marcstevens/sha1collisiondetection/issues/22#issuecomment-288489453

-- D. Richard Hipp drh@sqlite.org

[cr-marcstevens]

You do notice the caveat: as far as we know, moreover only up to now. So whats wrong with some real protection for the short term future while longer term migration to SHA-2 is underway?

Moreover, how about all those SHA-1 signatures out there that can't be replaced. What do you think is better: do we trust all those old SHA-1 signatures, or revoke them all, or do we check for forgeries with this?

[shumow]

Hi Sean, thanks for your interest in our project. We saved so much of our discretionary time by not trolling random people that we were able to spend it on this work.

[smoriarty21]

I'll take the troll hat off for a second and ask for an education here as there is clearly something I am missing. How does finding one SHA1 collision make it trivial to find billions more(again I was trolling but am not longer and genuinely want to understand this issue). Also I know this was a very trollish issue for me to open but it is a genuine question. You guys keep saying that you have seen these in the wild but you seem to be the only people in the world claiming this. I just feel like (and id love to be wrong here) this is not as big of an issue as you are making it seem. I feel that very few people have access to enough computing power to replicate this. Again thanks for the education and sorry if I still sounds like a troll but I'm very curious

[cr-marcstevens]

The thing is: we just collided a 320-byte PDF prefix without any content so far. So now anyone can make billions of colliding PDF file pairs with their own chosen content, and apply those in the wild! Any one of those PDF pairs can be used to break subversion repositories as found out by WebKit, i.e. unless the admins took special SHA-1 collision precautions.

[smoriarty21]

Thanks for the info Marc! Now this is starting to make more sense to me