
Ask HN: SHA2 vulnerability post was removed. Why? Is it legit? - benzinschleuder
Hello. A moment ago someone posted this: https:&#x2F;&#x2F;github.com&#x2F;laie&#x2F;WorldsFirstSha2Vulnerability
It&#x27;s now gone from HN.<p>Is the vulnerability legit?
======
lisper
Yes. It's legit. No idea why it was removed. It was actually deleted, not just
flagged to death.

[UPDATE] Turns out I was wrong and this is not a vulnerability at all:

[https://crypto.stackexchange.com/questions/48580/fixed-
point...](https://crypto.stackexchange.com/questions/48580/fixed-point-of-the-
sha-256-compression-function)

------
user5994461
[https://github.com/laie/WorldsFirstSha2Vulnerability](https://github.com/laie/WorldsFirstSha2Vulnerability)

Work by a random dude who pretends to find infinite collision so bad that he
can't publish it.

No math. No explanation.

The code is a mix of single letter variables with hardly any comment.

Thank you, I'll pass.

~~~
jstanley
The code sets up a sha256 state, then adds some input to sha256, and then
demonstrates that the sha256 state is the same as it was.

I'd say that counts as a vulnerability. It doesn't mean sha256 is broken, but
it's a vulnerability.

EDIT: All of this modulo a rigged sha256.py, of course

~~~
user5994461
You can google for existing sha256 collisions, nothing special in hard coding
one.

Google it and you'll find the source, if it's a popular collision already
published in papers.

~~~
lisper
I think you're confusing SHA256 with SHA1.

------
ctz
A fixed point in the compression function is not a vulnerability.

Not sure why the post was deleted though.

------
dddddaviddddd
See also
[https://news.ycombinator.com/item?id=14654696](https://news.ycombinator.com/item?id=14654696)
where it's been reposted with comments.

------
8draco8
New thread here
[https://news.ycombinator.com/item?id=14655077](https://news.ycombinator.com/item?id=14655077)

------
jstanley
I cloned the repo in case it gets taken down from GitHub as well.

It's also in ipfs at /ipfs/QmXZwBkdVXBQoB7uZMUh5bzfKAHXnJT836GV1xotiQ46RW and
I've pinned it on both of my ipfs servers.

If you want to do the same:

    
    
      ipfs pin add QmXZwBkdVXBQoB7uZMUh5bzfKAHXnJT836GV1xotiQ46RW
    

or to get it from github:

    
    
      git clone https://github.com/laie/WorldsFirstSha2Vulnerability
      ipfs add -Hr WorldsFirstSha2Vulnerability/
    

(-H includes hidden files - i.e. .git/)

