SHA1 is broken, should I need to worry about MySensors security?
Recently, Google announced that it had succeeded in calculation colliding SHA1 checksums with "reasonable" effort and thus concluding SHA1 is now obsolete and insecure.
MySensors security backend rely on hashes as well, but rest assured there is absolutely no impact for message signatures as they are based on SHA256 and not SHA1.
For details on the cracking, see here.
Great, no use to trash my stock of atsha
@Nca78 indeed you don't need to do that. And according to Linus himself, we don't really need to worry about our git repositories being compromised either. And he is correct, as there is a difference in using hashes for content identifiers (like git) and security signing (like us).
For an attacker to try to make a collision attack they need to
- Hack githubs security (or fool the core team)
- Design a collision that contains data that would go unnoticed in our repo.
Both quite unlikely