Announcement

Collapse
No announcement yet.

With SHA1 Proven Unsafe, Ubuntu's Mir Switches From SHA1 To SHA256

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • With SHA1 Proven Unsafe, Ubuntu's Mir Switches From SHA1 To SHA256

    Phoronix: With SHA1 Proven Unsafe, Ubuntu's Mir Switches From SHA1 To SHA256

    Now that Google has proven SHA1 as unsafe, Ubuntu's Mir display server developers were quick to abandon its usage in favor of SHA256...

    http://www.phoronix.com/scan.php?pag...SHA256-Cookies

  • #2
    Well, is Mir using it to encrypt data or to ensure binary integrity.

    Imy with Linus in that binary integrity is not effected by SHA1 being imperfect.

    It be like throwing away a shovel just because it can't dig molten lava. A shovel is not intended for that purpose.

    Comment


    • #3
      Originally posted by ElectricPrism View Post
      Well, is Mir using it to encrypt data or to ensure binary integrity.
      Micheael linked the article about "Mir Cookies" in his article.
      Mir's cookie library is explained as, "a simple mechanism for a group of cooperating processes to hand out and verify difficult-to-forge timestamps to untrusted 3rd parties."

      That's a security feature, therefore SHA1 is definitely a nope here.

      Comment


      • #4
        Originally posted by ElectricPrism View Post
        Well, is Mir using it to encrypt data or to ensure binary integrity.

        Imy with Linus in that binary integrity is not effected by SHA1 being imperfect.
        Erm, the only purpose for hashing algorithms (like SHA family) is verification of integrity. They are one-way functions that transform input data into a random pattern of a fixed length but without the possibility of 'extracting' the original data in any way. I imagine any use of SHA-1 hashes will cause sort of a vulnerability but you have to then decide whether or not that vulnerability is feasible in practical terms. Like Linus reasoned it with Git: the point of SHA-1 hashes is not to make Git secure per se but to achieve basic level of integrity verification (against non-intentional corruptions).
        Last edited by curfew; 02-27-2017, 05:16 PM.

        Comment


        • #5
          What about apt-get, synaptic, snap, GNOME Software, PackageKit, and Flatpak?

          Comment


          • #6
            That's a bit late. SHA1 has been known to be weak and about to break for a long time. Not critical enough to need immediate replacement, but why would anyone use it in new code?

            Comment


            • #7
              Originally posted by uid313 View Post
              What about apt-get, synaptic, [...]
              As for apt (and synaptic I guess): SHA1 is "untrusted" and "unusable" [1], but you can use it if you want. My guess is you'll have to specifically enable it, so it's on you if you have a security vulnerability.

              [1] "Do not consider SHA1 usable" March 2016, https://tracker.debian.org/media/pac...ngelog-1.4~rc2

              Comment


              • #8
                Originally posted by uid313 View Post
                What about apt-get, synaptic, snap, GNOME Software, PackageKit, and Flatpak?
                apt-get, zypper, yum support SHA256 already since a while, GNOME Software, Synaptic and packagekit are just front-ends (GNOME software is a frontend for packagekit that is a frontend for the distro's package manager, I WANT MORE ABSTRACTIONS HERE, ADD THEM PLX), flatpack supports SHA256, dunno about snap but I would be surprised if it's different.

                Also LEDE has migrated to SHA256 recently from MD5 that was what was used in OpenWRT's latest release (a year ago).

                Comment


                • #9
                  SHA1 was perfect for Mir: a soon-to-be-dead checksumming algorithm for a soon-to-be-dead display server. Such a pity they decided to move to sha256
                  ## VGA ##
                  AMD: X1950XTX, HD3870, HD5870
                  Intel: GMA45, HD3000 (Core i5 2500K)

                  Comment


                  • #10
                    This is the first time I read the words "Mir" and "quick" in the same sentence.

                    Comment

                    Working...
                    X