SHA-1 Collision – Insecurity of SHA-1 exposed by Google

SHA-1 is widely used in applications like SSL, SSH, TLS, IPsec PGP, S/MIME to protect the sensitive information.

Google has demonstrated that SHA-1 Collision is possible and two files can have the same SHA-1 hash. This means that system can be manipulated by presenting it with manipulated data with same hash as good data.

SHA-1 (Secure Hash Algorithm 1) was considered insecure way back in 2010 and many companies have already phased it out and many more are planning to phase out SHA-1.

Google Chrome no longer trust SHA-1 signed certificates. Other major players like Microsoft has plans to deprecate SHA-1 by the middle 2017 when its Internet Explorer and Edge browsers will block SHA-1. Firefox is also planning to deprecate SHA-1 from its browsers. However GnuPG e-mail encryption still trusts SHA-1.

here is the Google Security blog post with more technical details Announcing the first SHA1 collision


This site uses Akismet to reduce spam. Learn how your comment data is processed.