Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Apache Subversion System Affected by SHA-1 Collision

The successful SHA-1 collision attack announced last week by Google and CWI appears to have a serious impact on repositories that use the Apache Subversion (SVN) software versioning and revision control system.

The successful SHA-1 collision attack announced last week by Google and CWI appears to have a serious impact on repositories that use the Apache Subversion (SVN) software versioning and revision control system.

Developers of the WebKit web browser engine noticed severe problems after attempting to add a test for the SHA-1 collision to their project. Uploading the example collision PDF files provided by Google caused their SVN repository to become corrupted and prevent further commits.

Google has posted an update to the SHAttered website to warn SVN users of the risks, and Apache Subversion developers have created a tool designed to prevent PDF files such as the ones provided by Google from being committed.

The search giant has so far only published two PDF documents that prove SHA-1 collisions are possible (i.e. the files have the same SHA-1 hash, but different content). However, after 90 days, the company will release the code that allows anyone to create such PDFs.

Finding SHA-1 collisions still requires significant resources – it would cost an attacker at least $110,000 worth of computing power via Amazon’s cloud services – but it’s still 100,000 times faster compared to a brute-force attack.

The SHAttered attack also impacts the Git distributed version control system, which relies on SHA-1 for identifying and checking the integrity of file objects and commits.

Advertisement. Scroll to continue reading.

However, “the sky isn’t falling,” according to Linux kernel creator Linus Torvalds. Torvalds pointed out that there is a big difference between using SHA-1 for security and using it for generating identifiers for systems such as Git.

Nevertheless, steps have already been taken to mitigate these types of attacks, and Torvalds says Git will eventually transition to a more secure cryptographic hash function.

“There’s a plan, it doesn’t look all that nasty, and you don’t even have to convert your repository,” Torvalds said in a post on Google+. “There’s a lot of details to this, and it will take time, but because of the issues above, it’s not like this is a critical ‘it has to happen now thing’.”

In addition to version control systems, collision attacks pose a serious threat to digital certificates, email signatures, software updates, vendor signatures, backup systems and ISO checksums. Major vendors have already started moving away from SHA-1, including Google, Facebook, Microsoft and Mozilla.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.