Security is quite often about the amount of money you have to put in to get something or somebody hacked.
110,000 USD is in the ballpark of state level players when we are talking about forging documents to avoid any sort of tampering detection. It has practically zero use of small time hackers or script kiddies. Why would anybody invest 110K into a collision? What is the practical use of it?
The thing people fear is (1) A collision that lets you have good code pass review, then have evil code released to users; (2) That happening to Linux/Android/Firefox/Chrome; (3) The cost of creating a remote code execution exploit being lower than the market value of that exploit on the black market.
I don't know how /realistic/ this fear is. Certainly, if everyone PGP signs all their commits, it's a much-reduced risk - but how many projects mandate that?
or some less scrutinised but widely deployed package
There are many low cost ways of doing "$100k worth of AWS" computation. Eg botnets, distributed volunteering, moonlight use of employers idle servers etc etc.
Also: that cost is certain to drop, and it might drop quite quickly - simply due to software and hardware improvements. If anything algorithmic shows up, it could change dramatically. Let's not wait for that to happen.
You'd ideally want to do this with a binary blob (firmware or graphics driver, because you know there's one sitting in git somewhere). Then, how is anyone going to know the difference?
> Why would anybody invest 110K into a collision? What is the practical use of it?
Suppose you are on the verge of completing a major sale to some large, nervous purchaser -- perhaps a major world military. This is a decent-sized but not huge sale: $2 billion, with profits of around $200 million. The other major competitor for this contract is built around Linux and your offering relies on a custom operating system.
Your head of sales thinks that the the purchasing agent seems particularly concerned about security issues with the operating system -- keeps asking questions like "So, can you document that your system is less vulnerable than some 'open source' system?". The head of sales makes a rough guess that a news story about vulnerabilities in Linux might sway the chance of winning the contract by around 5%.
So: that's $10 million in value to your company that might created by generating publicity about the vulnerability of Git so long as that publicity is generated at the right moment in time. What's the chance that 1% of that can be "found" to make it happen?
The thing is: $110,000 is actually a very SMALL amount of money, relative to the amounts of money that many influential people manage on a daily basis. The use doesn't have to be very practical for it to be well worth it.
Pathes in Linux are reviewed by multiple people before merging. Even if you create a collision and submit patch you cannot really do much without write access to repo. It is even more difficult because person merging path will not fast forward in most cases.
This attack still do not allow for inserting a arbitrary data in arbitrary places to make attack on Linux possible. Finally SHA1 in git also take size into consideration and make this attack even more expensive[2].
People should really chill out. There are cheaper attack vectors that collisions.
Notice that the attack I described does not require actually merging in the patch, it only requires that news stories be written about how there might be such a vulnerability.
I am NOT implying that it might not be hypothetical. I have absolutely no reason to believe that anything like this has been attempted. I'm just trying to point out that for many out there, $100K is chump change.
If there's no practical use for it then even state level players won't bother with it.
If there's ever a practical use for it (i.e. money to be made) 110$k is totally accessible to the private sector. It's definitely not "a nation-state's worth of resources" which is the quote I was replying to.
Fortunately there doesn't appear to be a whole lot of practical use for these collisions for the time being.
In other words, SHA-1 is still nowhere near as insecure as MD5, the latter for which collisions can be generated in seconds on hardware everyone already has.
110,000 USD is in the ballpark of state level players when we are talking about forging documents to avoid any sort of tampering detection. It has practically zero use of small time hackers or script kiddies. Why would anybody invest 110K into a collision? What is the practical use of it?