possible attacks on other software that still runs
SHA-1 should be considered. Is that correct, Brian
I think so, yes. However, this
list is probably not the best forum for it, right? Speaking about MediaWIki _users_: If
there's really a problem with SHA-1 in their setup, they usually (unfortunately)
can't do anything about it, as it's clearly implementation and not configuration.
I think (without speaking for him), that’s what Brian wanted to say :) MediaWiki users and
even site admins can't change anything here, this has to be handled by developers (if
site admins want to join as developers: You're welcome! :)) and they should usually
subscribe to wikitech-l, too :P
Best,
Florian
-----Ursprüngliche Nachricht-----
Von: MediaWiki-l [mailto:mediawiki-l-bounces@lists.wikimedia.org] Im Auftrag von Pine W
Gesendet: Freitag, 24. Februar 2017 22:28
An: MediaWiki announcements and site admin list <mediawiki-l(a)lists.wikimedia.org>
Betreff: Re: [MediaWiki-l] [Wikitech-l] SHA-1 hash officially broken
As someone who runs a non-WMF MediaWiki installation and might set up at least one more,
it's something that I want to know about. :) More info at
https://phabricator.wikimedia.org/T158986, although if I understand the conversation on
the Phabricator task correctly, the consensus is that migration off of SHA-1 for MediaWiki
software is important but doesn't need to happen overnight because the attack is
difficult to execute; however, possible attacks on other software that still runs SHA-1
should be considered. Is that correct, Brian?
Pine
On Fri, Feb 24, 2017 at 1:01 PM, Brian Wolff <bawolff(a)gmail.com> wrote:
Before anyone panics, this is not something that
people who run
mediawiki wikis have to worry about.
--
Brian
On Friday, February 24, 2017, Pine W <wiki.pine(a)gmail.com> wrote:
Forwarding info that may be of interest.
Pine
---------- Forwarded message ----------
From: Brion Vibber <bvibber(a)wikimedia.org>
Date: Fri, Feb 24, 2017 at 9:56 AM
Subject: [Wikitech-l] SHA-1 hash officially broken
To: Wikimedia-tech list <wikitech-l(a)lists.wikimedia.org>
Google security have announced that they have a working collision
attack against the SHA-1 hash:
https://security.googleblog.com/2017/02/announcing-first-
sha1-collision.html
It's highly recommended to move to sha-256 where doable.
Note that MediaWiki uses sha-1 in a number of places; in some such
as revision hashes it's advisory for tools only, but in other places
like deleted files (filearchive table) we use it for addressing, and
should consider steps to mitigate attacks swapping in alternate
files during deletion/undeletion.
-- brion
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l