>>4374>That said, this approach is basically the same that was used to create two certificates whose MD5 hashes collide back in 2007 (I think).
The 2007 Attack (RogueCA, Alexander Sotirov, Marc Stevens, et. all) used H(P || M_1 || S) = H(P' || M_1 || S), but before in 2005 Arjen Lenstra, Benne de Weger and Xiaoyun Wang showed that they were able to use H(P || M_1 || S) = H(P || M_1 || S) hiding the collision blocks in such a way that two public keys for the same identity would have the identical CA Signature. The former allows to assume different Identities the later does not.
They claim in their FAQ that an image says more than thousand words so pic related is given. I'm looking at the pdfs, but I'm not really knowledgeable with the format. I extracted the image part (or what I think that is), but it seems to be malformed standing on its own. There is by the way a second set of pdfs at the end of the paper.
They say in the paper they employed several improved techniques that do crazy stuff with JPEG Parsing, so I guess we have to wait for that release of information, probably the reference  can tell more about this already. I haven't had the time yet to read it.>>4375>So this is just a loud signal what we really need to drop SHA1 in near future and not what we must drop it today.
I think yet another (but still impressive signal) yes, and we have been deprecating it already. But its nothing to Hype up to "OMG EVERYTHING IS BROKEN" not primarily because of the computation power required (Who can't blow ~$110k just for fun?) but because its an identical prefix collision attack.
They specifically mention git on their page playing the scenario of servicing a clean and a backdoored version. My understanding is that the backdoor, since its an identical prefix, must be encoded with the collision blocks, so this
is not just dropping some binary looking blob somewhere it must also encode meaningful code which tends to have low-entropy and a rigid structure. They seem to have come up with some nifty tricks with the JPG, certainly to lower the
constraints as much as possible.
 Malicious Hashing: Eve’s Variant of SHA-1, Ange Albertini, Jean-Philippe Aumasson, Maria Eichlseder, Florian Mendel, Martin Schläffer 10.1007/978-3-319-13051-4_1