Date: Fri, 1 Jan 2021 16:56:51 +0000 From: RW <rwmaillists@googlemail.com> To: freebsd-current@freebsd.org Subject: Re: HEADS UP: FreeBSD src repo transitioning to git this weekend Message-ID: <20210101165651.7319af5a@gumby.homeunix.com> In-Reply-To: <CAD2Ti2-dKMOx2-k71UyZs1kAGCXPuVwO9ee861oRFNV=aCfuqA@mail.gmail.com> References: <CANCZdfpb0MF%2BuoW=K3cQpL%2B3vNQjSBDeVMab5d4JJhUO4sy-2Q@mail.gmail.com> <5fdc0b90.1c69fb81.866eb.8c29SMTPIN_ADDED_MISSING@mx.google.com> <20201218175241.GA72552@spindle.one-eyed-alien.net> <20201218182820.1P0tK%steffen@sdaoden.eu> <20201223023242.GG31099@funkthat.com> <20201223162417.v7Ce6%steffen@sdaoden.eu> <20201229011939.GU31099@funkthat.com> <20201229210454.Lh4y_%steffen@sdaoden.eu> <20201230004620.GB31099@funkthat.com> <CAD2Ti2-4xS5n0%2B1oLOHyFh4%2BOCnwtNAAwMkkWzwRVDnt-xmb1Q@mail.gmail.com> <20201231193908.GC31099@funkthat.com> <CAD2Ti2-dKMOx2-k71UyZs1kAGCXPuVwO9ee861oRFNV=aCfuqA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 31 Dec 2020 21:25:08 -0500 grarpamp wrote: > > Is there any reason to think [bittorrent] insecure? > > Cost under $50k of compute to break sha-1, AFAIK you cannot break SHA-1 in the sense of creating data that matches a specific hash. What you can do is create a collision between two blocks of data, varying both blocks in the process. This makes SHA-1 unsuitable for digital signatures. A *third-party* attacker cannot create a bogus torrent using a collision attack against SHA-1 because the attacker would need to match a specific hash value. What may be possible is that the creator of the legitimate torrent might create two torrents with the same hash, but this seems very contrived and not very useful. It has all sorts of problems as a way of delivering targeted malware.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210101165651.7319af5a>