> possible attacks on other software that still runs SHA-1 should be > considered. Is that correct, Brian I think so, yes. However, this list is probably not the best forum for it, right? Speaking about MediaWIki _users_: If there's really a problem with SHA-1 in their setup, they usually (unfortunately) can't do anything about it, as it's clearly implementation and not configuration. I think (without speaking for him), that’s what Brian wanted to say :) MediaWiki users and even site admins can't change anything here, this has to be handled by developers (if site admins want to join as developers: You're welcome! :)) and they should usually subscribe to wikitech-l, too :P
Best, Florian -----Ursprüngliche Nachricht----- Von: MediaWiki-l [mailto:[email protected]] Im Auftrag von Pine W Gesendet: Freitag, 24. Februar 2017 22:28 An: MediaWiki announcements and site admin list <[email protected]> Betreff: Re: [MediaWiki-l] [Wikitech-l] SHA-1 hash officially broken As someone who runs a non-WMF MediaWiki installation and might set up at least one more, it's something that I want to know about. :) More info at https://phabricator.wikimedia.org/T158986, although if I understand the conversation on the Phabricator task correctly, the consensus is that migration off of SHA-1 for MediaWiki software is important but doesn't need to happen overnight because the attack is difficult to execute; however, possible attacks on other software that still runs SHA-1 should be considered. Is that correct, Brian? Pine On Fri, Feb 24, 2017 at 1:01 PM, Brian Wolff <[email protected]> wrote: > Before anyone panics, this is not something that people who run > mediawiki wikis have to worry about. > > -- > Brian > > On Friday, February 24, 2017, Pine W <[email protected]> wrote: > > Forwarding info that may be of interest. > > > > Pine > > > > > > ---------- Forwarded message ---------- > > From: Brion Vibber <[email protected]> > > Date: Fri, Feb 24, 2017 at 9:56 AM > > Subject: [Wikitech-l] SHA-1 hash officially broken > > To: Wikimedia-tech list <[email protected]> > > > > > > Google security have announced that they have a working collision > > attack against the SHA-1 hash: > > > > > https://security.googleblog.com/2017/02/announcing-first- > sha1-collision.html > > > > It's highly recommended to move to sha-256 where doable. > > > > Note that MediaWiki uses sha-1 in a number of places; in some such > > as revision hashes it's advisory for tools only, but in other places > > like deleted files (filearchive table) we use it for addressing, and > > should consider steps to mitigate attacks swapping in alternate > > files during deletion/undeletion. > > > > -- brion > > _______________________________________________ > > Wikitech-l mailing list > > [email protected] > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > _______________________________________________ > > MediaWiki-l mailing list > > To unsubscribe, go to: > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > > _______________________________________________ > MediaWiki-l mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
