SHA1 It Ain’t So! Beating A Dead Horse Into Hash

Source: Ars Technica SHA1 It Ain’t So!  Beating A Dead Horse Into Hash

SHA1 Is Dead!  Long Live SHA1

We have known for several years that SHA1 hashes are vulnerable to collision attacks which can be used to unencrypt the data which uses it and many applications have phased it out over the past five years.  Unfortunately many sites, like Git, still make use of it for content or handling HTTPS traffic, the open source version of PGP called GnuPG still uses it for keys and TLS and Secure Shell will still accept it.  The only good news Ars Technica has to offer is that it is still rather expensive to exploit, however the price is now less than half of what the original exploit would cost you.

Drop by for a deeper look into SHA1, collision vulnerabilities and how the price tag was determined, if you dare.

The attack unveiled on Tuesday also costs as little as $45,000 to carry out. The attack disclosed in 2017, by contrast, didn’t allow forgeries on specific predetermined document prefixes and was evaluated to cost from $110,000 to $560,000 on Amazon’s Web Services platform, depending on how quickly adversaries wanted to carry it out.

Video News

About The Author

Jeremy Hellstrom

Call it K7M.com, AMDMB.com, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

18 Comments

  1. willmore

    [quote]

    We have known for several years that SHA1 hashes are vulnerable to collision attacks which can be used to unencrypt the data which uses it and many applications have phased it out over the past five years.

    [/quote]

    SHA1 isn’t an encryption algorithm, it’s a hash function. It’s used for creating a ‘digest’ of a message. Unlike an encryption function, a hash function is not meant to be easily reversable.

    Reply
    • willmore

      Is this a quote
      Asking for a friend.

      Reply
      • willmore

        or is this?
        Anyone know the markup that the new comment system uses?

        Reply
        • Jeremy Hellstrom

          umm, not really? Also, better description of SHA1 than in my blurb 😉

          Reply
          • Jeremy Hellstrom

            blockquote is what you want on this one

            Reply
            • willmore

              [blockquote] This is with square brackets[/blockquote]

              this is with angle brackets

              > This is just with a single angle bracket.

              Thanks for the reply, Jeremy! MHU if you ever have crypto questions.

              Reply
              • willmore

                When did I get a face? Can I edit that?

              • Jeremy Hellstrom

                Updates apparently. I don’t see how to edit them at this point.

              • Webmaster

                Make sure the email you use for comments has a corresponding one in Gravatar.

  2. Jeremy Hellstrom

    I see …

    Reply
    • willmore

      What do you see? 🙂

      Reply
      • Jeremy Hellstrom

        How the new avatar system works on the new wide open comments

        Reply
        • willmore

          My god! It’s full of stars!

          Reply
  3. willmore

    Okay, I created a WP account so I could create a gravatar account. Then I uploaded my avatar. I’m not seeing it here, yet. But, I did see this when I logged into my account: “WordPress 5.3.2 is available! Please notify the site administrator.”

    So, that’s something. 🙂

    Reply
    • willmore

      And there it is! Cool!

      Reply
  4. willmore

    Do you have to post to a page to get it to update the avatars? I.E. does WP cache a generated page when a new comment is posted and not update it until another comment is made?

    Reply
    • Jeremy Hellstrom

      I’m seeing yours now. Mine took about 5 mins to kick in.

      Reply
      • willmore

        Thanks, it was popping in and out every other time I’d refresh a page, so i got to speculating why. I assume you have a few backend server boxes that don’t all pick up the new images at the same time. Seems good now. Sort of surprisingly, I’ve found a few other websites I comment at seem to be using gravatar as well as I now have an avatar at them as well. I wish someone had pointed this out to me years ago. 🙂

        Thanks, Jeremy!

        Reply

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!