Hacker News new | comments | show | ask | jobs | submit login

Comparing the sha-1 is much faster than reading the ssd, so it's almost free.

Accidental sha-1 collision is probably not a problem, but in a few years [1] it will be possible to crate sha-1 collisions and use that as an attack. It looks difficult, but supposes that with the correct string an attacker can retrieve the cached information of another user, for example sha1("joedoe:creditcard")=sha1("atacker:hc!?!=u?ee&f%g#jo").

I don't know if they are using randomization, because the collision can be used (in a few years) as a DOS atack [2]

[1] http://www.schneier.com/blog/archives/2012/10/when_will_we_s...

[2] http://www.gossamer-threads.com/lists/python/dev/959026

Your example describes a preimage attack on SHA-1, not a collision attack. Even with a working collision attack you are probably still far away from taking "some.other.input" and creating a sha1("some.other.input") = sha1("johndoe:creditcard").

For instance MD5 collisions are really easy to create but for preimage attacks on MD5 there is still no better approach than just doing brute force.

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact