[MediaWiki-l] [Wikitech-l] SHA-1 hash officially broken

Pine W wiki.pine at gmail.com
Fri Feb 24 21:27:39 UTC 2017


As someone who runs a non-WMF MediaWiki installation and might set up at
least one more, it's something that I want to know about. :) More info at
https://phabricator.wikimedia.org/T158986, although if I understand the
conversation on the Phabricator task correctly, the consensus is that
migration off of SHA-1 for MediaWiki software is important but doesn't need
to happen overnight because the attack is difficult to execute; however,
possible attacks on other software that still runs SHA-1 should be
considered. Is that correct, Brian?

Pine


On Fri, Feb 24, 2017 at 1:01 PM, Brian Wolff <bawolff at gmail.com> wrote:

> Before anyone panics, this is not something that people who run mediawiki
> wikis have to worry about.
>
> --
> Brian
>
> On Friday, February 24, 2017, Pine W <wiki.pine at gmail.com> wrote:
> > Forwarding info that may be of interest.
> >
> > Pine
> >
> >
> > ---------- Forwarded message ----------
> > From: Brion Vibber <bvibber at wikimedia.org>
> > Date: Fri, Feb 24, 2017 at 9:56 AM
> > Subject: [Wikitech-l] SHA-1 hash officially broken
> > To: Wikimedia-tech list <wikitech-l at lists.wikimedia.org>
> >
> >
> > Google security have announced that they have a working collision attack
> > against the SHA-1 hash:
> >
> >
> https://security.googleblog.com/2017/02/announcing-first-
> sha1-collision.html
> >
> > It's highly recommended to move to sha-256 where doable.
> >
> > Note that MediaWiki uses sha-1 in a number of places; in some such as
> > revision hashes it's advisory for tools only, but in other places like
> > deleted files (filearchive table) we use it for addressing, and should
> > consider steps to mitigate attacks swapping in alternate files during
> > deletion/undeletion.
> >
> > -- brion
> > _______________________________________________
> > Wikitech-l mailing list
> > Wikitech-l at lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>


More information about the MediaWiki-l mailing list