Google researches show common crypto tool SHA-1 is insecure

As Wired described it:
Concerns about SHA-1 used to be theoretical, hinging on vulnerabilities that seemed prohibitively resource-intensive to exploit. But now a team of researchers from CWI Amsterdam and Google have successfully developed an attack on SHA-1 that doesn’t require extravagant assets to pull off. That means any system still using SHA-1 to verify and protect data is very much at risk.

And there are a lot of systems using it:
But while many corners of the internet have abandoned it, SHA-1 remains pervasive, particularly in services that need to interoperate with legacy systems running older software. It also persists because of the idea that it is not at risk of being actively attacked. For example, a popular implementation of the encryption program Pretty Good Privacy (PGP) still says that SHA-1 is “believed to be safe,” even though it’s not the preferred hash function.

Announcement with technical details on the Google Security Blog:
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

Read the overview in +WIRED
https://www.wired.com/2017/02/common-cryptographic-tool-turns-majorly-insecure/

Firefox no longer accepts SHA-1 starting today in reaction to the announcement:
https://plus.google.com/+ElieBursztein/posts/UhPJqxpR4JA

Chrome removed support for SHA-1 certificates in Chrome 56 (January 2017):
https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html

(All via +Elie Bursztein, Anti-fraud & abuse research lead at Google, and part of the team that cracked SHA-1)
Shared publiclyView activity