[MediaWiki-l] Fwd: [Wikitech-l] SHA-1 hash officially broken

Forwarding info that may be of interest. Pine ---------- Forwarded message ---------- From: Brion Vibber <bvibber(a)wikimedia.org> Date: Fri, Feb 24, 2017 at 9:56 AM Subject: [Wikitech-l] SHA-1 hash officially broken To: Wikimedia-tech list <wikitech-l(a)lists.wikimedia.org> Google security have announced that they have a working collision attack against the SHA-1 hash: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html It's highly recommended to move to sha-256 where doable. Note that MediaWiki uses sha-1 in a number of places; in some such as revision hashes it's advisory for tools only, but in other places like deleted files (filearchive table) we use it for addressing, and should consider steps to mitigate attacks swapping in alternate files during deletion/undeletion. -- brion _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l