Talk:Google performs first successful collision attack on SHA-1 security algorithm

From Wikinews, the free news source you can write!
Jump to navigation Jump to search


@Gryllida: Considering that Wikinews writes for a general audience, perhaps some explanation of what a collision attack, cryptographic hash function etc. are or what they're used for or why this matters would be appropriate.

Is what's going on that Google just poked a hole in someone's security system, so proving that it would be wise for everyone to get an upgrade? Darkfrog24 (talk) 04:08, 24 February 2017 (UTC)

Just in case this isn't clear, I don't mean for you to answer me here on this talk page. (If you look closely, my first line does not contain any questions.) I mean for you to define these terms in the article. On Wikipedia, it would be fine to discuss them first, but Wikinews is time-sensitive, so it's best to just get to it. Darkfrog24 (talk) 04:09, 24 February 2017 (UTC)
Added this sentence to the article:
A successful attacker would be able to add a malicious file in the system to damage the backup, deliver a malicious update, attack and decrypt an encrypted connection to a website, replace a file revision history, and do other actions which would substitute valuable files with something seemingly identical but misleading or malicious in practice.
This is my fourth take at delivering the concept. Please try to edit further; I think you would be able to add more juice to it. --Gryllida (talk) 05:23, 24 February 2017 (UTC)

The article does mention the existence of stronger hash functions, I see, though it's a brief mention and well down in the article. I'm thinking that, in reviewing this, I'd tweak the wording in a couple of places to emphasize, when talking about classes of things that could be affected, that they would be affected only if they use that particular hash function rather than some other hash function. It's important to avoid generating unwarranted alarm. (I've seen it remarked that security experts are rather gleeful about this because they've been advising people not to use SHA-1 for years.) --Pi zero (talk) 15:41, 24 February 2017 (UTC)

Done - it would be useful to make the second paragraph even more succinct. Gryllida (talk) 20:10, 24 February 2017 (UTC)


Just a note that the image used in the article is not an official logo, but a user image made for Wikipedia navboxes. I contacted the creator and they updated the description to reflect that. Opencooper (talk) 19:08, 24 February 2017 (UTC)

Added to the image caption. --Gryllida (talk) 20:10, 24 February 2017 (UTC)


Do you really think an average reader can understand what is the meaning of this headline? If they know about Google's automated car, they will think, "this is some kind of road accident." If not they may think, "Google tried to harm SHA-1. But what is this SHA-1? Is it some kind of search engine who tried to steal the data?" and other sort of "stuff". Rename it to something like "Google performs first successful collision attack on SHA-1 encryption". Though this does not convey 100% accurate meaning, this is shorter and let's the reader know what is SHA-1.
acagastya 22:29, 24 February 2017 (UTC)

How about "Google performs first successful collision attack on SHA-1 security algorithm"? --Pi zero (talk) 22:38, 24 February 2017 (UTC)
Accuracy increases. So does the length. The algorithm is a popular one. We should find an interesting title, shouldn't we?
acagastya 23:02, 24 February 2017 (UTC)
Better headline would be fine, if you've a suggestion. I, or somebody, getting into gear and reviewing it sooner rather than later is most important. --Pi zero (talk) 23:07, 24 February 2017 (UTC)
Can we say Sham and Spurious are the same or imply very similar meaning?

Review of revision 4290781 [Passed][edit]

Way of putting this[edit]

Is it okay to say "Since January, Google Chrome does not trust SHA-1 certificates." Wouldn't it be better/ less assuming/ neutral to say, "Since January, Google Chrome discontinued support for SHA-1 certificates." or something similar?
acagastya 16:17, 27 February 2017 (UTC)

Was that a distance-from-source edit? I'd thought the term untrusted was used in a technical sense in such situations. --Pi zero (talk) 16:34, 27 February 2017 (UTC)