All of lore.kernel.org
 help / color / mirror / Atom feed
From: Patrick Schleizer <patrick-mailinglists@whonix.org>
To: Jeff King <peff@peff.net>
Cc: git@vger.kernel.org, whonix-devel@whonix.org, mikegerwitz@gnu.org
Subject: Re: How safe are signed git tags? Only as safe as SHA-1 or somehow safer?
Date: Fri, 21 Nov 2014 23:01:26 +0000	[thread overview]
Message-ID: <546FC446.50101@whonix.org> (raw)
In-Reply-To: <20141117212657.GC15880@peff.net>

Dear git developers!

Jeff King wrote:
> On Sun, Nov 16, 2014 at 03:31:10PM +0000, Patrick Schleizer wrote:
> 
>> How safe are signed git tags? Especially because git uses SHA-1. There
>> is contradictory information around.
>>
>> So if one verifies a git tag (`git tag -v tagname`), then `checksout`s
>> the tag, and checks that `git status` reports no untracked/modified
>> files, without further manually auditing the code, how secure is this
>> actually? Is it only as safe as SHA-1?
> 
> Yes, it is only as "safe as SHA-1" in the sense that you have GPG-signed
> only a SHA-1 hash. If somebody can find a collision with a hash you have
> signed, they can substitute the colliding data for the data you signed.
> 
> Of course, "safe as SHA-1" and "find a collision" are vague. If
> pre-image attacks are feasible (i.e., given already-published SHA-1, I
> can find a different input with the same SHA-1), then attacks are
> trivial. But when people talk about attacks on SHA-1, they are usually
> referring to finding a collision between two new pieces of data. You can
> also use that in an attack, but it's much less straightforward
> (basically, you need to get somebody to sign one of the colliding pieces
> of data and then replace it with the other).

Sounds pretty sad. Isn't this a security issue that should be fixed?

Rather than discussing how feasible collisions in SHA-1 are... Attacks
on SHA-1 are only getting worse, no? Since the Snowden revelations we
know that powerful adversaries that are working on such things and would
use such weaknesses to exploit users.

Dear git developers, could you please make a long story short? Change to
some stronger hash algorithm? (sha256, sha512, or so?) Or provide an
option for that?

> And of course there is the question of getting the colliding data to the
> victim. Git does collision checks whenever a remote (e.g., from a "git
> fetch") gives us data that we already have. So you could poison new
> cloners with bad data, but you could not convince a repository with the
> existing "good" half of the collision to fetch the "evil" half.

Poison git cloners with bad data is exactly my point here. Because
sometimes I am a cloner of my own code - cloning it on a separate
machine - then verify it using gpg - but don't check it any further. In
such cases, I'd prefer if security wouldn't depend on SHA-1.

Cheers,
Patrick

  reply	other threads:[~2014-11-21 23:01 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-11-16 15:31 How safe are signed git tags? Only as safe as SHA-1 or somehow safer? Patrick Schleizer
2014-11-17 21:26 ` Jeff King
2014-11-21 23:01   ` Patrick Schleizer [this message]
2014-11-21 23:32     ` Jason Pyeron
2014-11-22 19:48       ` Jeff King
2014-11-22 19:43     ` Jeff King
2014-11-25 12:59     ` Fedor Brunner
2014-11-24  1:23   ` Duy Nguyen
2014-11-24 10:15     ` Michael J Gruber
2014-11-24 11:44       ` Duy Nguyen
2014-11-25 10:41         ` Duy Nguyen
2014-11-24 15:51       ` Jeff King
2014-11-24 18:14   ` Nico Williams
2014-11-25  1:16     ` Duy Nguyen
2014-11-25  1:23       ` Jonathan Nieder
2014-11-25  1:52         ` Duy Nguyen
2014-11-25  3:40           ` Stefan Beller
2014-11-25  3:47           ` Jeff King
2014-11-25 10:55             ` Duy Nguyen
2014-11-25 17:23             ` Junio C Hamano
2014-11-25 11:07       ` brian m. carlson
2014-11-24  0:52 bancfc

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=546FC446.50101@whonix.org \
    --to=patrick-mailinglists@whonix.org \
    --cc=git@vger.kernel.org \
    --cc=mikegerwitz@gnu.org \
    --cc=peff@peff.net \
    --cc=whonix-devel@whonix.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.