Jump to content

Talk:Google performs first successful collision attack on SHA-1 security algorithm

Page contents not supported in other languages.
Add topic
From Wikinews, the free news source you can write!
Latest comment: 7 years ago by Pi zero in topic Way of putting this

Explanations

[edit]

@Gryllida: Considering that Wikinews writes for a general audience, perhaps some explanation of what a collision attack, cryptographic hash function etc. are or what they're used for or why this matters would be appropriate.

Is what's going on that Google just poked a hole in someone's security system, so proving that it would be wise for everyone to get an upgrade? Darkfrog24 (talk) 04:08, 24 February 2017 (UTC)Reply

Just in case this isn't clear, I don't mean for you to answer me here on this talk page. (If you look closely, my first line does not contain any questions.) I mean for you to define these terms in the article. On Wikipedia, it would be fine to discuss them first, but Wikinews is time-sensitive, so it's best to just get to it. Darkfrog24 (talk) 04:09, 24 February 2017 (UTC)Reply
Added this sentence to the article:
A successful attacker would be able to add a malicious file in the system to damage the backup, deliver a malicious update, attack and decrypt an encrypted connection to a website, replace a file revision history, and do other actions which would substitute valuable files with something seemingly identical but misleading or malicious in practice.
This is my fourth take at delivering the concept. Please try to edit further; I think you would be able to add more juice to it. --Gryllida (talk) 05:23, 24 February 2017 (UTC)Reply

The article does mention the existence of stronger hash functions, I see, though it's a brief mention and well down in the article. I'm thinking that, in reviewing this, I'd tweak the wording in a couple of places to emphasize, when talking about classes of things that could be affected, that they would be affected only if they use that particular hash function rather than some other hash function. It's important to avoid generating unwarranted alarm. (I've seen it remarked that security experts are rather gleeful about this because they've been advising people not to use SHA-1 for years.) --Pi zero (talk) 15:41, 24 February 2017 (UTC)Reply

Done - it would be useful to make the second paragraph even more succinct. Gryllida (talk) 20:10, 24 February 2017 (UTC)Reply

Image

[edit]

Just a note that the image used in the article is not an official logo, but a user image made for Wikipedia navboxes. I contacted the creator and they updated the description to reflect that. Opencooper (talk) 19:08, 24 February 2017 (UTC)Reply

Added to the image caption. --Gryllida (talk) 20:10, 24 February 2017 (UTC)Reply

Title

[edit]

Do you really think an average reader can understand what is the meaning of this headline? If they know about Google's automated car, they will think, "this is some kind of road accident." If not they may think, "Google tried to harm SHA-1. But what is this SHA-1? Is it some kind of search engine who tried to steal the data?" and other sort of "stuff". Rename it to something like "Google performs first successful collision attack on SHA-1 encryption". Though this does not convey 100% accurate meaning, this is shorter and let's the reader know what is SHA-1.
acagastya 22:29, 24 February 2017 (UTC)Reply

How about "Google performs first successful collision attack on SHA-1 security algorithm"? --Pi zero (talk) 22:38, 24 February 2017 (UTC)Reply
Accuracy increases. So does the length. The algorithm is a popular one. We should find an interesting title, shouldn't we?
acagastya 23:02, 24 February 2017 (UTC)Reply
Better headline would be fine, if you've a suggestion. I, or somebody, getting into gear and reviewing it sooner rather than later is most important. --Pi zero (talk) 23:07, 24 February 2017 (UTC)Reply
Can we say Sham and Spurious are the same or imply very similar meaning?

Review of revision 4290781 [Passed]

[edit]

Way of putting this

[edit]

Is it okay to say "Since January, Google Chrome does not trust SHA-1 certificates." Wouldn't it be better/ less assuming/ neutral to say, "Since January, Google Chrome discontinued support for SHA-1 certificates." or something similar?
acagastya 16:17, 27 February 2017 (UTC)Reply

Was that a distance-from-source edit? I'd thought the term untrusted was used in a technical sense in such situations. --Pi zero (talk) 16:34, 27 February 2017 (UTC)Reply