[Cryptography] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers

After sitting through an endless flood of headless-chicken messages on multiple media about SHA-1 being fatally broken, I thought I'd do a quick writeup about what this actually means. In short: Reports of SHA-1's demise are considerably exaggerated. What CWI/Google have done is confirmed what we've known for a long time, that SHA-1 is shaky. Using a nation-state's worth of resources and a year of time (https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html), they've shown that, with a very carefully-crafted document, you can create a collision. Their presentation of the results is detailed and accurate, it's the panicked misinterpretation of those results that are the problem. Overall, this is a neat piece of work. However, before everyone joins the headless-chicken rally, let's look at its effect on real-world protocols that use SHA-1. Which ones are affected by this? SSL: Nope. SSH: Nope. PGP: Nope (when used for email). S/MIME: Nope (see above). OCSP: Nope. IPsec: Nope. OpenVPN: Nope. SCEP/CMP/CMC/EST: Nope. <lots of others>: Nope. So what is actually affected? Situations where you're creating signatures that need to be valid for a long time, and where the enormous latency between legitimate signature creation and forgery isn't an issue (this is why email won't be affected, having to wait a year between email being sent and the forgery being received will probably raise at least some suspicions of foul play). What's left is long-term document signing and certificates, as pointed out by the shattered.io FAQ. With certificates the chances of it being exploitable in practice are fairly low, through a combination of CAs having moved away from SHA-1, the fact that certificates are only valid for a year which means you have to race to forge before it expires, and the fact that any CAs that weren't already randomising serial numbers before the earlier MD5 forged-cert attack will be doing it now. Even for long-term document signing, these are frequently countersigned by a TSA to deal with the fact that the original signing certificate will expire after a year, in which case they're safe as well. Finally, with other stuff (software updates, ISOs, and others), (a) why were you still using SHA-1, and (b) you now have about 6-12 months to finally move to SHA-256, and this time we mean it. For everything else, you really do need to plan the move to SHA-256. Think of this as a practical application of Wright's Principle, "Security won't get better until tools for practical exploration of the attack surface are made available". Peter (who's at the tail end of a conference and only half awake, so I'll need to go through the paper in more detail tomorrow in case there's something I missed).