Last week, the Google has announced the first SHA-1 collision attack and CWI appears to have a serious impact on repositories which use the Apache Subversion(SVN) software versioning and revision control system.
The developers of the WebKit web browser engine have noticed some severe problems after stheir attampt to add a test for the SHA-1 collision to their own project. After uploading the sample collision PDF files provided by the Google, their SVN repository has become corrupted and prevented any further commits.
Google has posted an update on the SHAttered website to warn the SVN users about the risks, and Apache Subversion developers have made a tool that is designed to prevent the PDF files such as the ones provided by the Google from being committed.
The search giant also so far only published two PDF documents which prove that the SHA-1 collisions are possible (this means both the files have same SHA-1 hash, but different content). But, after 90 days, Google will release the code which will allow anyone to create such PDFs.
Finding the SHA-1 collisions still need significant resources – it can cost an attacker at least $110,000 worth of computing power from Amazon’s cloud services. However it’s still 100,000 times faster when compared to a mear brute-force attack.
The SHAttered attack also seem to impact the Git distributed version control system, which cpmpletely rely on SHA-1 for identifying and checking the integrity of file objects and commits.
However, “the sky isn’t falling,” according to Linux kernel creator Linus Torvalds. Torvalds pointed out that there is a big difference between using SHA-1 for security and using it for generating identifiers for systems such as Git.
Nevertheless, steps have already been taken to mitigate these types of attacks, and Torvalds says Git will eventually transition to a more secure cryptographic hash function.