It doesn't take any money or time. Google's break of SHA-1 was fully reusable. S... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		garmaine on Oct 13, 2021 \| parent \| context \| favorite \| on: SHA-1 'fully and practically broken' by new collis... It doesn't take any money or time. Google's break of SHA-1 was fully reusable. So long as committing a PDF to the repo counts, there's a script that will trivially concat two PDFs in such a way as that they each render to their original (different) contents, but both have the same SHA-1 hash. Put in a repo and `git add foo.pdf` and you're done.

marcan_42 on Oct 13, 2021 [–]

Nope. Google's break of SHA-1 was reusable in the sense that you can add an arbitrary (identical) suffix to both PDFs and keep the collision. But Git does not use raw SHA-1 hashes, it adds a prefix before computing object hashes. Therefore, Google's break of SHA-1 cannot be reused to break Git.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact