[MediaWiki-l] Fwd: [Wikitech-l] SHA-1 hash officially broken

Pine W wiki.pine at gmail.com
Fri Feb 24 20:43:18 UTC 2017


Forwarding info that may be of interest.

Pine


---------- Forwarded message ----------
From: Brion Vibber <bvibber at wikimedia.org>
Date: Fri, Feb 24, 2017 at 9:56 AM
Subject: [Wikitech-l] SHA-1 hash officially broken
To: Wikimedia-tech list <wikitech-l at lists.wikimedia.org>


Google security have announced that they have a working collision attack
against the SHA-1 hash:

https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

It's highly recommended to move to sha-256 where doable.

Note that MediaWiki uses sha-1 in a number of places; in some such as
revision hashes it's advisory for tools only, but in other places like
deleted files (filearchive table) we use it for addressing, and should
consider steps to mitigate attacks swapping in alternate files during
deletion/undeletion.

-- brion
_______________________________________________
Wikitech-l mailing list
Wikitech-l at lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


More information about the MediaWiki-l mailing list