Red Hat Bugzilla – Bug 1270348
linux: sha1 collision possible
Last modified: 2015-10-10 17:21:15 EDT
Description of problem:
Recently sha1 hash function has been collided. This presents a security threat as makes us vulnerable to hash cracking. The seriousness of this discovery is just as bad as previous ciper suites(RC4, MD5).
Now, the average joe may not be able to generally do this, but as you know more and more people are using cloud based setups, including hackers, to accomplish just this task. What was used was a 64GPU setup. If not mistaken it took about a week to do this. So, its not exactly fast, but its fast enough to accomplish the task at hand.The more people involved in hacking this, the worse off we all are.
Time to move to a more secure hash algoritm. SHA256, SHA512, RIPEMD, etc.This affects all Linux and anyone else using the cipher.
And according to wikipedia, WTF are we using SHA1 for anyways? everyone should be using 2 or 3.MINIMUM SHA256 is used for SHA2.
hacker news: https://thehackernews.com/2015/10/sha-1-collision-attack.html
slashdot has an article here: http://it.slashdot.org/story/15/10/09/1425207/first-successful-collision-attack-on-the-sha-1-hashing-algorithm
ALSO, as you know anything on the net using this is justas - if not moreso - vulnerable.Net based setups need to mitigate this before its a problem.
Version-Release number of selected component (if applicable):
Im only reporting whats been done.
Steps to Reproduce:
you need a cloud based gpu setup for this.
Sure, this is fine information, but I'm not sure what you are wanting us to do here.
If you want to make all fedora developers more aware of this, I'd suggest posting to the devel list.
If you see any applications/packages using sha1, please file bugs on them.
With Fedora 21, we established a system wide crypto policy. If you want to change this, please file a bug against the crypto-policies package:
Hope that helps.