Isn't using SHA1 checksums for SDK files a security risk? [answered]
As mentioned in this question, SHA1 has been obsoleted/cracked in early 2017.
Still, the checksums (e.g. qtcreator) used for the SDK downloads are SH1.
Doesn't this introduce a security risk, since the hashes could potentially be reproduced despite of having modified the packages?
You are completely nuts, you know? :)
There has been just one sha1 collision found, and searching for it reqiuired an incredible amoint of cmputing power for a long time...
Pronouncing sha1 dead is absurd. Go back and do your homework properly.
juiceme ( 2018-03-08 10:02:45 +0300 )editWell yes, I am a bit nuts. But that's a completely different matter :-P
rozgwi ( 2018-03-08 14:42:10 +0300 )editIf the question sounded too alarming or was exaggerating, I apologize.
But apparently SHA1 is deemed dead by quite a few people. At least when it comes to encryption. So not that absurd after all.
Anyways using sha256sums would not hurt.
leszek ( 2018-03-08 15:22:28 +0300 )edithehe, could be I came out a bit there :)
however it remains so that there is no actual fault in sha1, it just is vulnefable to brute force attack, weighted heavily on the word brute. (and what current crypto isn't, please tell me...)
I have some applications that use authentication tokens in the form of sha1sums and I remain confident that nobody is going to crackdown on that in any near future... :)
juiceme ( 2018-03-08 15:24:50 +0300 )edit