GitHub Uses Broken Cryptography, But It Has a Plan

Jordan Pearson

Jordan Pearson

SHA-1 rears its ugly head.

In February, Google shocked the cryptography community by effectively breaking the stalwart SHA-1 hashing algorithm, making hypothetical concerns about the security of SHA-1 concrete for the first time.

While most folks have moved on from SHA-1 already, there's one place on the web that has the algorithm at its core: GitHub, the nerve centre of every open source project from bitcoin, to government-owned elections software, to the weekend projects of most DIY-minded developers. So, yeah, not good.

Thankfully, on Monday GitHub implemented a system that automatically detects when someone is trying to use an SHA-1 hack, and rejects it.

GitHub stores user data as "objects" that all have a unique SHA-1 hash, which the site uses as ID to keep track of them. This was more or less fine, because SHA-1 is designed so that it is extremely unlikely for two hashes to ever be identical—what's known as a "collision." Google demonstrated a highly specialized method for generating an SHA-1 collision in February, opening the possibility for someone to replace innocent code on GitHub with malicious code, using an identical SHA-1 hash.

According to a company blog post, Google's method of generating an SHA-1 collision "[leaves] a pattern in the bytes" that GitHub can detect. If the alarm bells go off, then GitHub will automatically abort the operation, the blog states.

If all of this seems like a big old bandaid to you, that's because it is. But, according to the blog, GitHub is looking for a more permanent solution.

"The Git project is also developing a plan to transition away from SHA-1 to another, more secure hash algorithm, while minimizing the disruption to existing repository data," the blog states. "As that work matures, we plan to support it on GitHub."

Subscribe to pluspluspodcast , Motherboard's new show about the people and machines that are building our future.

Correction: An earlier version of this article had the headline "GitHub Uses Broken Encryption, But It Has a Plan." SHA-1 is a cryptographic algorithm, not an encryption tool. This article's headline has been updated to reflect this, and Motherboard regrets the error.