A SHA-1 freestart collision has occurred
-
https://sites.google.com/site/itstheshappening/
Ars article: http://arstechnica.com/security/2015/10/sha1-crypto-algorithm-securing-internet-could-break-by-years-end/With the IV
50 6b 01 78 ff 6d 18 90 20 22 91 fd 3a de 38 71 b2 c6 65 ea
, this message:9d 44 38 28 a5 ea 3d f0 86 ea a0 fa 77 83 a7 36 33 24 48 4d af 70 2a aa a3 da b6 79 d8 a6 9e 2d 54 38 20 ed a7 ff fb 52 d3 ff 49 3f c3 ff 55 1e fb ff d9 7f 55 fe ee f2 08 5a f3 12 08 86 88 a9
has a SHA-1 hash of
f0 20 48 6f 07 1b f1 10 53 54 7a 86 f4 a7 15 3b 3c 95 0f 4b
.With the IV
50 6b 01 78 ff 6d 18 91 a0 22 91 fd 3a de 38 71 b2 c6 65 ea
, this message:3f 44 38 38 81 ea 3d ec a0 ea a0 ee 51 83 a7 2c 33 24 48 5d ab 70 2a b6 6f da b6 6d d4 a6 9e 2f 94 38 20 fd 13 ff fb 4e ef ff 49 3b 7f ff 55 04 db ff d9 6f 71 fe ee ee e4 5a f3 06 04 86 88 ab
has a SHA-1 hash of
f0 20 48 6f 07 1b f1 10 53 54 7a 86 f4 a7 15 3b 3c 95 0f 4b
.(Note 90 20 vs 91 a0 in the IVs.)
The researchers estimate that computing a real collision - one without different IVs - would cost between $75,000 and $120,000 on Amazon EC2 over a few months. This is within the resources of organized crime today.
If you are having trouble recognizing how this is a problem, check your browser's CA store for a subordinate certificate authority from "MD5 Collisions, Inc." issued by Equifax.
-
Interesting. I don't understand the attack vector. Does increasing the key size help?
-
No, the attack is this:
- Create two certificates that hash to the same SHA-1 value, except one is marked as a sub-CA
- Get the first one signed by a CA
- Apply the signature you received in the certificate to the second one
- You are now in control of a valid CA certificate
The only fix is to ditch SHA1, like we did with MD5 in 2011.
Also wow this Discourse server is so underpowered, it's so terrible here compared to everywhere else.
-
I don't understand the attack vector
Replacing binaries with malicious binaries without invalidating the digital signature.
-
This post is deleted!
-
-
Also wow this Discourse server is so underpowered, it's so terrible here compared to everywhere else.
why do you think http://servercooties.io/#graph is a thing.
also performance used to be much better. we seem to inexplicably lose performance round about the same time we upgrade our discourse install......
-
Also wow this Discourse server is so underpowered, it's so terrible here compared to everywhere else.
It's a forum, it shouldn't need a particularly powerful server with the amount of activity we have here.
Except, Discourse...
-
I should of known what the spin me baby button would do but I clicked it anyway.
- how likely are you to produce a binary with the exact same hash as an another binary and then compromise an offical mirror long enough to get it on enough computers to collect a significant amount of data to ransom without breaking the bank?
- when was the last time you saw a sha-1 hashcode for a binary from an offical mirror? I suppose the better question is who actualy checks the binarys that they down? I know we do it but there are security reasons for that. Mostly the IT manager. I've don't think I've ever done it on any of my personal computers...
-
how likely are you to produce a binary with the exact same hash as an another binary and then compromise an offical mirror long enough to get it on enough computers to collect a significant amount of data to ransom without breaking the bank?
You don't need to get it on the mirror - you just need to get control of any device between the browser and the mirror.
when was the last time you saw a sha-1 hashcode for a binary from an offical mirror?
Every Windows Update I've seen used SHA1. Being able to add your malware to files that are auto-installed on 90% of the computers on the Internet sounds pretty handy to me.
-
I should of known what the spin me baby button would do but I clicked it anyway.
i think that button was @onyx's idea.
might have been @raceprouk's idea.....
one of them i'm pretty sure.
did you manage to click the button a second time? because the button's a toggle. :-P
-
Every Windows Update I've seen used SHA1. Being able to add your malware to files that are auto-installed on 90% of the computers on the Internet sounds pretty handy to me.
Keep in mind, this isn't producing a SHA1 file with a given hash - we can't do that with MD5 either right now - but producing two new files with the same hash.
-
did you manage to click the button a second time?
Hitting Space does that quite easily ;)
-
@accalia said:
did you manage to click the button a second time?
Hitting Space does that quite easily ;)
CHEATER!
/me makes a note to automatically move focus when the button is activated to prevent that trick in future.
-
Mwaha! I got it.
-
/me makes a note to automatically move focus when the button is activated to prevent that trick in future.
Meh, there are other tricks
-
@accalia said:
/me makes a note to automatically move focus when the button is activated to prevent that trick in future.
Meh, there are other tricks
CHEATER McCHEATERSON!
-
-
@loopback0 said:
there are other tricks
like NOT clicking the damn button?
Oh WELL DONE BELCHY. Now @accalia's going to make the button press itself to avoid that.
-
Now @accalia's going to make the button press itself to avoid that.
but only when you won't press the button yourself.
-
@loopback0 said:
Now @accalia's going to make the button press itself to avoid that.
but only when you won't press the button yourself.
Or the other way around ...
At random
-
How about you have to press the button to prevent it, and the button dances around on the screen like a 1995 joke application?
-
challenge accepted.
You don't need to get it on the mirror - you just need to get control of any device between the browser and the mirror.
@Jaime said:Every Windows Update I've seen used SHA1. Being able to add your malware to files that are auto-installed on 90% of the computers on the Internet sounds pretty handy to me.
A) good luck with that. Probably easier that I think... B) we have yet to produce a binary with the exact same hash.
-
-
Also wow this Discourse server is so underpowered, it's so terrible here compared to everywhere else.
It's completely overpowered for the level of service we receive.
-
Also wow this Discourse server is so underpowered, it's so terrible here compared to everywhere else.
It's a Digital Ocean droplet - the sort of thing that Jeff recommends..
-
we are on the official recommended hardware,
i think we might be on bigger than that actually.... didn't we upgrade to 4GB when we switched servers?
-
i think we might be on bigger than that actually....
root@what:~# free -m; echo; df -h; echo; grep proc /proc/cpuinfo total used free shared buffers cached Mem: 3953 3844 109 1042 7 1508 -/+ buffers/cache: 2328 1625 Swap: 1023 137 886 Filesystem Size Used Avail Use% Mounted on /dev/vda 59G 37G 20G 67% / none 4.0K 0 4.0K 0% /sys/fs/cgroup udev 2.0G 12K 2.0G 1% /dev tmpfs 396M 320K 396M 1% /run none 5.0M 0 5.0M 0% /run/lock none 2.0G 712K 2.0G 1% /run/shm none 100M 0 100M 0% /run/user processor : 0 processor : 1 root@what:~#
-
yep. that's a 4GB instance....
so either there is somethign quite wrong with our server that needs professional looking at (doubt it, we had sam in there often enough) or that install guide is out of date
well i say out of date. @codinghorror last updated those recommendations 16 days ago....
yeah.
-
For amusement:
root@what:~# uptime 07:42:50 up 49 days, 13:43, 1 user, load average: 3.12, 2.48, 2.19
-
well that's our problem then....
we're CPU bound.
we have 2 CPUs so our load average can go as high as 2 before we start getting CPU contention.
if our 15 minute average is over 2, and regularly staying there...
hmm.... it's almost as if what discourse needs is some serious optimization.....
-
Digital Ocean droplets are quite nice. I mean they're just VPSes with a pretty name but they have some nice management tools. Kinda like EC2 but with a lot less hassle to deploy.
-
hmm.... it's almost as if what discourse needs is some serious optimization.....
It's message board software. It shouldn't be using that much CPU.
root@what:~# ps aux | sort -nk10 | tail -n15 pjh 4442 14.6 6.0 1071028 242924 ? Sl 07:11 5:14 unicorn worker[0] -E production -c config/unicorn.conf.rb pjh 4451 14.8 5.9 1072028 242476 ? Sl 07:11 5:18 unicorn worker[1] -E production -c config/unicorn.conf.rb pjh 4459 14.8 6.1 1215388 250364 ? Sl 07:11 5:19 unicorn worker[2] -E production -c config/unicorn.conf.rb pjh 4475 14.6 5.8 1158044 238168 ? Sl 07:11 5:13 unicorn worker[3] -E production -c config/unicorn.conf.rb root 133 0.0 0.0 0 0 ? S Aug20 6:04 [jbd2/vda-8] root 1021 0.0 0.0 19184 364 ? Ss Aug20 7:41 /usr/sbin/irqbalance ossec 1030 0.0 0.0 17376 400 ? S Aug20 8:43 /var/ossec/bin/ossec-agentd root 1044 0.0 0.0 5348 0 ? S Aug20 28:58 /var/ossec/bin/ossec-syscheckd root 754 0.0 0.1 1154844 7804 ? Ssl Aug20 32:50 /usr/bin/docker -d root 17 0.1 0.0 0 0 ? S Aug20 85:03 [ksoftirqd/1] root 3 0.1 0.0 0 0 ? S Aug20 86:09 [ksoftirqd/0] root 8 0.1 0.0 0 0 ? S Aug20 111:11 [rcuos/0] root 9 0.1 0.0 0 0 ? S Aug20 111:10 [rcuos/1] root 35 0.2 0.0 0 0 ? S Aug20 176:32 [kswapd0] root 7 0.4 0.0 0 0 ? S Aug20 328:01 [rcu_sched] root@what:~#
-
indeed it should not be using that much CPU.
-
Jesus, I'm glad to see someone gets it...This is bad, but not catastrophic. See: http://cstheory.stackexchange.com/questions/585/what-is-the-difference-between-a-second-preimage-attack-and-a-collision-attack
While SHA1 collisions are bad they are nowhere near as bad as (second) preimage attacks, which is what you'd be concerned about. SHA-1 is still secure against these now and should be for the foreseeable future. It's still a good idea to migrate to SHA2 (or, better yet, SHA3 if your libs support it).
-
-
Christ. I wonder what wordpress is like.
-
-
also performance used to be much better. we seem to inexplicably lose performance round about the same time we upgrade our discourse install......
Yeah "inexplicably"
-
@accalia said:
also performance used to be much better. we seem to inexplicably lose performance round about the same time we upgrade our discourse install......
Yeah "inexplicably"
was i that unsubtle?
-
It's message board software. It shouldn't be using that much CPU.
Not just that, but it's an SPA. CPU load is being offloaded to the client!
How the fuck are they managing to hit the server so hard?
-
How the fuck are they managing to hit the server so hard?
Have you actually LOOKED at the source code for discourse?
or the database?
or all the moving pieces that make up that docker image they provide?
-
No, thank you very much. I value my sanity ;-)
-
No, thank you very much. I value my sanity ;-)
pity.... i wanted to share my pain.
if you look at the source and the DB it wqill quickly become apparent why there's performance issues.
-
Keep in mind, this isn't producing a SHA1 file with a given hash - we can't do that with MD5 either right now - but producing two new files with the same hash.
Yes, MD5 is still technically safe for some purposes, but the general philosophy in cryptography is "never risk it". We have so many encryption and hashing algorithms that it's better to throw them away at the first sign of problems.
-
Yes, MD5 is still technically safe for some purposes, but the general philosophy in cryptography is "never risk it". We have so many encryption and hashing algorithms that it's better to throw them away at the first sign of problems.
Not to forget, who knows how far competing secretly-operating teams are ...
-
I think it's mostly database.
-
Yes, do not create new systems using broken primitives, but existing systems have time to be upgraded (no need to run around with your hair on ).
-
Have you actually LOOKED at the source code for discourse?
I tried once, but instead of a github URL they gave me a special VM configured to open a browser pointing at the github URL.
They said it's much easier this way because I don't have to do it myself.
-
But what if it is?