There are a few things out there in cyberspace still floating around that probably shouldn’t be. Flash comes to mind right off the bat, but the other is SHA-1. From a security standpoint both of these need to be retired, badly. But more importantly, people need to just stop using them.
A few days ago researchers from Google Research and CWI Amsterdam, were able to create the first collisions for the ailing algorithm. Which only confirmed that SHA-1 is weakening in the face of advanced technology and cheaper, more powerful computing. They did have to throw about $100,000 of computing time into creating the collision, but also discovered that it was about 100,000 times easier to crack than it was believed to have been.
Okay, you’re probably thinking, “That’s an awful lot of computing power, nobody is going to be doing this on their own.” And for the most part you’d be right. However… Google also release a demo of code snippets as examples of the ease in which you can recreate the experiment. Using these code snippets you could mount a prefix attack and essentially create your own collision documents. And now that they’re known, well you get the picture.
So, knowing that now, how do you feel about your tools still running SHA-1? I’m looking at you Git!