As someone who runs a non-WMF MediaWiki installation and might set up at least one more, it's something that I want to know about. :) More info at https://phabricator.wikimedia.org/T158986, although if I understand the conversation on the Phabricator task correctly, the consensus is that migration off of SHA-1 for MediaWiki software is important but doesn't need to happen overnight because the attack is difficult to execute; however, possible attacks on other software that still runs SHA-1 should be considered. Is that correct, Brian?
Pine
On Fri, Feb 24, 2017 at 1:01 PM, Brian Wolff bawolff@gmail.com wrote:
Before anyone panics, this is not something that people who run mediawiki wikis have to worry about.
-- Brian
On Friday, February 24, 2017, Pine W wiki.pine@gmail.com wrote:
Forwarding info that may be of interest.
Pine
---------- Forwarded message ---------- From: Brion Vibber bvibber@wikimedia.org Date: Fri, Feb 24, 2017 at 9:56 AM Subject: [Wikitech-l] SHA-1 hash officially broken To: Wikimedia-tech list wikitech-l@lists.wikimedia.org
Google security have announced that they have a working collision attack against the SHA-1 hash:
https://security.googleblog.com/2017/02/announcing-first- sha1-collision.html
It's highly recommended to move to sha-256 where doable.
Note that MediaWiki uses sha-1 in a number of places; in some such as revision hashes it's advisory for tools only, but in other places like deleted files (filearchive table) we use it for addressing, and should consider steps to mitigate attacks swapping in alternate files during deletion/undeletion.
-- brion _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l