Last week, Google unveiled proof that it had successfully created a collision attack against the SHA-1 hash algorithm, a security weakness long suspected to be exploitable with modern computing power.
But what does that mean in practical terms? It depends on how you use SHA-1 and in what context. The answers to those questions provide some idea of where to start moving away from SHA-1 first.
Git-r-fixed
Distributed source control system Git has been implicated as a possible victim of SHA-1 attacks. “If an attacker managed to create a SHA-1 collision for a source file object (git blob),” wrote Red Hat engineer Colin Walters, “it would affect all revisions and checkouts—invalidating the security of all GPG signed tags whose commits point to that object.”
To read this article in full or to leave a comment, please click here