From 11a5199d4109b86bd8c769beba0ee96b667810a2 Mon Sep 17 00:00:00 2001 From: "Stuart P. Bentley" Date: Tue, 20 Oct 2020 18:41:54 -0700 Subject: [PATCH 1/4] Add note that SHA-1 actually has been broken --- book/07-git-tools/sections/revision-selection.asc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/book/07-git-tools/sections/revision-selection.asc b/book/07-git-tools/sections/revision-selection.asc index 17b5ab60d..4d216e283 100644 --- a/book/07-git-tools/sections/revision-selection.asc +++ b/book/07-git-tools/sections/revision-selection.asc @@ -84,6 +84,8 @@ Here's an example to give you an idea of what it would take to get a SHA-1 colli If all 6.5 billion humans on Earth were programming, and every second, each one was producing code that was the equivalent of the entire Linux kernel history (6.5 million Git objects) and pushing it into one enormous Git repository, it would take roughly 2 years until that repository contained enough objects to have a 50% probability of a single SHA-1 object collision. Thus, a SHA-1 collision is less likely than every member of your programming team being attacked and killed by wolves in unrelated incidents on the same night. +That being said, with hundreds and thousands of dollars' worth of computing power dedicated to the task, https://shattered.io/[two files with the same SHA-1 hash were produced in 2017]. Git has code https://github.com/git/git/blob/master/sha1dc/sha1.c[specifically to protect against this scenario]. + ==== [[_branch_references]] From 252d639919337c589000f7421364ccbb8675ea5f Mon Sep 17 00:00:00 2001 From: "Stuart P. Bentley" Date: Thu, 22 Oct 2020 11:08:46 -0700 Subject: [PATCH 2/4] Update book/07-git-tools/sections/revision-selection.asc Co-authored-by: Ben Straub --- book/07-git-tools/sections/revision-selection.asc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/book/07-git-tools/sections/revision-selection.asc b/book/07-git-tools/sections/revision-selection.asc index 4d216e283..66ee00573 100644 --- a/book/07-git-tools/sections/revision-selection.asc +++ b/book/07-git-tools/sections/revision-selection.asc @@ -82,10 +82,13 @@ That's 1,200 times the number of grains of sand on the earth. Here's an example to give you an idea of what it would take to get a SHA-1 collision. If all 6.5 billion humans on Earth were programming, and every second, each one was producing code that was the equivalent of the entire Linux kernel history (6.5 million Git objects) and pushing it into one enormous Git repository, it would take roughly 2 years until that repository contained enough objects to have a 50% probability of a single SHA-1 object collision. -Thus, a SHA-1 collision is less likely than every member of your programming team being attacked and killed by wolves in unrelated incidents on the same night. - -That being said, with hundreds and thousands of dollars' worth of computing power dedicated to the task, https://shattered.io/[two files with the same SHA-1 hash were produced in 2017]. Git has code https://github.com/git/git/blob/master/sha1dc/sha1.c[specifically to protect against this scenario]. +Thus, an organic SHA-1 collision is less likely than every member of your programming team being attacked and killed by wolves in unrelated incidents on the same night. +[NOTE] +==== +There have been attempts to create a synthetic collision attack, including one documented at https://shattered.io/[]. +Git is moving towards using SHA256 as the default hashing algorithm, which is much more resilient to collision attacks, and has code in place to help mitigate this attack (although it cannot completely eliminate it). +==== ==== [[_branch_references]] From 796ef2fe64f918ecd8e40d4056d67f33dc17d75f Mon Sep 17 00:00:00 2001 From: "Stuart P. Bentley" Date: Fri, 23 Oct 2020 10:43:12 -0700 Subject: [PATCH 3/4] Update book/07-git-tools/sections/revision-selection.asc Co-authored-by: Ben Straub --- book/07-git-tools/sections/revision-selection.asc | 3 --- 1 file changed, 3 deletions(-) diff --git a/book/07-git-tools/sections/revision-selection.asc b/book/07-git-tools/sections/revision-selection.asc index 66ee00573..adb100cef 100644 --- a/book/07-git-tools/sections/revision-selection.asc +++ b/book/07-git-tools/sections/revision-selection.asc @@ -84,12 +84,9 @@ Here's an example to give you an idea of what it would take to get a SHA-1 colli If all 6.5 billion humans on Earth were programming, and every second, each one was producing code that was the equivalent of the entire Linux kernel history (6.5 million Git objects) and pushing it into one enormous Git repository, it would take roughly 2 years until that repository contained enough objects to have a 50% probability of a single SHA-1 object collision. Thus, an organic SHA-1 collision is less likely than every member of your programming team being attacked and killed by wolves in unrelated incidents on the same night. -[NOTE] -==== There have been attempts to create a synthetic collision attack, including one documented at https://shattered.io/[]. Git is moving towards using SHA256 as the default hashing algorithm, which is much more resilient to collision attacks, and has code in place to help mitigate this attack (although it cannot completely eliminate it). ==== -==== [[_branch_references]] ==== Branch References From 1b95a959f620fdcb81d66d016f5ed6944fee3da1 Mon Sep 17 00:00:00 2001 From: "Stuart P. Bentley" Date: Fri, 23 Oct 2020 10:52:41 -0700 Subject: [PATCH 4/4] "Attempts to create" -> "It is possible" --- book/07-git-tools/sections/revision-selection.asc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/book/07-git-tools/sections/revision-selection.asc b/book/07-git-tools/sections/revision-selection.asc index adb100cef..710b48635 100644 --- a/book/07-git-tools/sections/revision-selection.asc +++ b/book/07-git-tools/sections/revision-selection.asc @@ -84,7 +84,7 @@ Here's an example to give you an idea of what it would take to get a SHA-1 colli If all 6.5 billion humans on Earth were programming, and every second, each one was producing code that was the equivalent of the entire Linux kernel history (6.5 million Git objects) and pushing it into one enormous Git repository, it would take roughly 2 years until that repository contained enough objects to have a 50% probability of a single SHA-1 object collision. Thus, an organic SHA-1 collision is less likely than every member of your programming team being attacked and killed by wolves in unrelated incidents on the same night. -There have been attempts to create a synthetic collision attack, including one documented at https://shattered.io/[]. +If you dedicate several thousands of dollars' worth of computing power to it, it is possible to synthesize two files with the same hash, as proven on https://shattered.io/[] in February 2017. Git is moving towards using SHA256 as the default hashing algorithm, which is much more resilient to collision attacks, and has code in place to help mitigate this attack (although it cannot completely eliminate it). ====