Intensions were great, but the implementation not so much

Feb 27, 2017 14:52 GMT  ·  By

Google managed to put in practice the first SHA1 collision attack, and problems are already being reported after the devs of the WebKit browser engine broke their Subversion (SVN) source code repository. 

The severe problems were noticed after attempting to add a test for the SHA-1 collision to the project, which caused the SVN repository to become corrupted before preventing further commits.

It wasn't long after that when a Google update to the SHAttered website appeared to warn SVN users of the risks. Apache Subversion devs created a tool designed to prevent PDF files such as the ones Google managed to create from being committed.

"Please exercise care, as SHA-1 colliding files are currently breaking SVN repositories. Subversion servers use SHA-1 for deduplication and repositories become corrupted when two colliding files are committed to the repository. This has been discovered in WebKit's Subversion repository and independently confirmed by us. We noticed that in some cases, due to the corruption, further commits are blocked," the note reads.

SHA-1 just isn't safe

The search giant has published two PDF documents that prove SHA-1 collisions are possible - the files have different content, but share the same SHA-1 hash, which shouldn't be possible. In less than 90 days, however, Google will release the code they used to achieve this feat and then anyone will be able to create such PDFs.

Of course, just because someone has the code doesn't mean they'll be able to do this because there's a need for a lot of computing power. It has been estimated that for an SHA-1 collision, an attacker would have to spend over $110,000 in computing power via Amazon's cloud services. Of course, that just means that your run-of-the-mill attackers won't be able to do it, but not that those with proper financing won't.

As for the WebKit problem - the situation was eventually fixed, but they had to nix their plans to integrate a system for detecting SHA-1 collision in their own software.