On Sun, Feb 26, 2017 at 5:00 AM, Miroslav Rovis <miro.ro...@croatiafidelis.hr> wrote: > On 170225-21:34-0600, R0b0t1 wrote: >> On Saturday, February 25, 2017, Miroslav Rovis <miro.ro...@croatiafidelis.hr> >> wrote: >> > >> https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html > ... >> >> Very interesting. The first useful SHA-1 collision was, if I remember, done >> in 2015, and subverted an HTTPS certificate (though not one which had been >> issued). This was some guys with a couple of servers lined with graphics >> cards. >> >> Seeing someone manage to do it in a garage a number of years before it was >> cosidered feasible should, hopefully, make you have more conservative >> estimates of the strength of modern cryptography. >> >> Aside: >> http://ecrypt-eu.blogspot.com/2015/11/break-dozen-secret-keys-get-million.html > > Too technical for me. Too little learning gain for too much mumbo-jumbo > noise, at this > stage of my understanding of crypto, for me. >
My apologies. The useful part of the link is really the title. It explains how, if you *do* successfully break a given key, you have necessarily broken millions of them - you are just unsure if they are currently in use. The wise option is then to record every key combination you brute force in the hope that someone will start using it in the future. >> R0b0t1. > > But, when we talk crypto being broken, I can help thinking of other > threats to Gentoo and other FOSS GNU Linux that I fear are perfectly > feasible (for the resourceful subjects) > > Gentoo distro is increasingly served the insecure way, IMO, that is: via > git, without the repositories being, for end users, PGP-verifiable. > > And via a new private big business, the Github. Giving over all users to > big Github brother. > > And, in the trasition all the history got lost. Git started remembering > only from 2015. > > I have asked a question about getting git-served repository verifiable > for end users, but I didn't get any replies: > This is something I was concerned about myself, especially since the bare git protocol that most users access the repository from, even if it is the repository hosted by the Gentoo Foundation, is insecure. Git access via SSH or HTTPS *is* secure but is not implemented - I'm not sure why, as they've purchased a "real" certificate and the Git subdomain may already be covered by it. > - > Miroslav Rovis > Zagreb, Croatia > https://www.CroatiaFidelis.hr Well, maybe someone will noticed this message. Or not. R0b0t1.
