On 26/02/2017 22:32, R0b0t1 wrote: > On Sun, Feb 26, 2017 at 5:00 AM, Miroslav Rovis > <miro.ro...@croatiafidelis.hr> wrote: >> On 170225-21:34-0600, R0b0t1 wrote: >>> On Saturday, February 25, 2017, Miroslav Rovis >>> <miro.ro...@croatiafidelis.hr> >>> wrote: >>>> >>> https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html >> ... >>> >>> Very interesting. The first useful SHA-1 collision was, if I remember, done >>> in 2015, and subverted an HTTPS certificate (though not one which had been >>> issued). This was some guys with a couple of servers lined with graphics >>> cards. >>> >>> Seeing someone manage to do it in a garage a number of years before it was >>> cosidered feasible should, hopefully, make you have more conservative >>> estimates of the strength of modern cryptography. >>> >>> Aside: >>> http://ecrypt-eu.blogspot.com/2015/11/break-dozen-secret-keys-get-million.html >> >> Too technical for me. Too little learning gain for too much mumbo-jumbo >> noise, at this >> stage of my understanding of crypto, for me. >> > > My apologies. The useful part of the link is really the title. It > explains how, if you *do* successfully break a given key, you have > necessarily broken millions of them - you are just unsure if they are > currently in use. The wise option is then to record every key > combination you brute force in the hope that someone will start using > it in the future. > >>> R0b0t1. >> >> But, when we talk crypto being broken, I can help thinking of other >> threats to Gentoo and other FOSS GNU Linux that I fear are perfectly >> feasible (for the resourceful subjects) >> >> Gentoo distro is increasingly served the insecure way, IMO, that is: via >> git, without the repositories being, for end users, PGP-verifiable. >> >> And via a new private big business, the Github. Giving over all users to >> big Github brother. >> >> And, in the trasition all the history got lost. Git started remembering >> only from 2015. >> >> I have asked a question about getting git-served repository verifiable >> for end users, but I didn't get any replies: >> > > This is something I was concerned about myself, especially since the > bare git protocol that most users access the repository from, even if > it is the repository hosted by the Gentoo Foundation, is insecure. Git > access via SSH or HTTPS *is* secure but is not implemented - I'm not > sure why, as they've purchased a "real" certificate and the Git > subdomain may already be covered by it.
I always though git's use of SHA hashes was to identify commits and detect random bit flips, not to provide any measure of security. -- Alan McKinnon alan.mckin...@gmail.com
