On Feb 23, 2017, at 12:55 PM, Lamar Owen <lo...@pari.edu> wrote:
>
> On 02/09/2017 03:12 PM, Johnny Hughes wrote:
>> The patch files are in git as text files, right? Why would you need
>> checksums of those? That is the purpose of git, right?
>>
> Not to stir up a hornets' nest, but how does Google's announcement at
> https://shattered.it affect this now?
To replace pre-existing checkins in place, you have to execute what’s called a
second-preimage attack, which is much, much harder than the collision attack
presented by Google.
The collision attack gives you the freedom to change both files until they
match, whereas fixing one of the artifacts ahead of time requires you to pull
off a second-preimage attack. Since the fear up-thread is about whether we can
trust what’s already in the CentOS Git repos, only a second-preimage attack
will do.
There is a way to use a collision attack against Git or similar systems:
https://news.ycombinator.com/item?id=13715887
However, realize that in this context, it means you’d have to:
1. Get the Red Hat or CentOS folks to accept the good version of your patch.
(i.e. The benign version of the evil patch you want to get into RHEL and
CentOS.)
2. Hope that the committer doesn’t modify your patch before committing it, thus
breaking the match to the evil version you spent $100k and a month of time
creating.
3. MITM the Git sync protocol between git.centos.org and the target site to
inject your evil version into the sync stream. Since git.centos.org redirects
to HTTPS by default and issues HTTPS URLs for you to clone from, this means you
also have to break TLS, since unbroken TLS prevents MITM attacks. That, or
someone has to *aim* while shooting themselves in the foot, going out of their
way to remove the “s” from the URL.
4. Since git.centos.org is apparently not mirrored, you have to execute this
attack between git.centos.org and all end users of their service that you wish
to attack, rather than poison one or more of the mirrors by MITMing the
mirror’s connection back to git.centos.org.
So yeah, it’s still Difficult.™
All of this is not to say that Git doesn’t have a problem. They do. It’s just
that the problem in question doesn’t affect the integrity of git.centos.org, as
far as I can see.
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
