On Mar 10, 2017, at 2:53 AM, Joerg Sonnenberger wrote:
>
> On Thu, Mar 09, 2017 at 01:37:35PM -0700, Warren Young wrote:
>>
>>
>> That can be gotten around with a MITM attack
>
> It still only matters if you can *introduce* objects.
You’re telling me it’s of no consequence if,
On Thu, Mar 09, 2017 at 01:37:35PM -0700, Warren Young wrote:
> On Mar 9, 2017, at 1:03 PM, Richard Hipp wrote:
> >
> > If a new artifact Y' which has the
> > same SHA1 hash as Y comes along, it will be discarded, since an
> > artifact with that same hash is already in the
On Mar 9, 2017, at 1:44 PM, Andy Bradford
wrote:
>
> Thus said Warren Young on Thu, 09 Mar 2017 13:37:35 -0700:
>
>> That can be gotten around with a MITM attack
>
> How? If the server to which the attacker tries to synchronize
Just to clarify my prior reply: my criticisms of points 1 and 3 do not
undermine my support for the solution, which is in points 2, 4, and 5. I’m
just saying that I’d rather you didn’t bring such things up, as they are
obfuscatory arguments at best.
It is sufficient to argue the strength of
Thus said Warren Young on Thu, 09 Mar 2017 13:37:35 -0700:
> On Mar 9, 2017, at 1:03 PM, Richard Hipp wrote:
> >
> > If a new artifact Y' which has the same SHA1 hash as Y comes along,
> > it will be discarded, since an artifact with that same hash is
> > already in the
On Mar 9, 2017, at 1:03 PM, Richard Hipp wrote:
>
> If a new artifact Y' which has the
> same SHA1 hash as Y comes along, it will be discarded, since an
> artifact with that same hash is already in the repository.
That can be gotten around with a MITM attack, as I’ve already
On 3/9/17, Warren Young wrote:
>
> My question is, does the new SHA-3 scheme protect us from that possibility,
> or will a Fossil checkout of the tip of that repository replay the SHA-3
> delta on top of the tampered SHA-1 checkin and be thereby tainted?
>
(1) If artifact X
Premise: Depending on the ROI in each specific case, SHA1 is either broken
today or will be broken at some indefinite (but finite) time in the future.
The cost of attack will continue to decrease for many years to come, so the
number of repositories in danger of attack will continue increase.
8 matches
Mail list logo