SHA1 collisions proven possisble

J. Hellenthal jhellenthal at
Thu Feb 23 23:11:23 UTC 2017

It's actually pretty serious in Git and the banking markets where there is high usage of sha1. Considering the wide adoption of Git, this is a pretty serious issue that will only become worse ten-fold over the years. Visible abuse will not be near as widely seen as the initial shattering but escalate over much longer periods.

Take it serious ? Why wouldn't you !?

 Jason Hellenthal, 
 Systems & Network Admin, 
 Mobile: 0x9CA0BD58, 

On Feb 23, 2017, at 16:40, Ricky Beam <jfbeam at> wrote:

> On Thu, 23 Feb 2017 15:03:34 -0500, Patrick W. Gilmore <patrick at> wrote:
> More seriously: The attack (or at least as much as we can glean from the blog post) cannot find a collision (file with same hash) from an arbitrary file. The attack creates two files which have the same hash, which is scary, but not as bad as it could be.

Exactly. This is just more sky-is-falling nonsense. Of course collisions exist. They occur in every hash function. It's only marginally noteworthy when someone finds a collision. It's neat the Google has found a way to generate a pair of files with the same hash -- at colossal computational cost! However this in no way invalidates SHA-1 or documents signed by SHA-1. You still cannot take an existing document, modify it in a meaningful way, and keep the same hash.

[Nor can you generate a blob to match an arbitrary hash (which would be death of all bittorrent)]

More information about the NANOG mailing list