Home / News

Security Researchers Announce First SHA-1 Collision, Confirming Fears About Its Vulnerabilities

In a joint announcement today, Dutch research institute CWI and Google revealed that they have broken the SHA-1 internet security standard “in practice”. Industry cryptographic hash functions such as SHA1 are used for digital signatures and file integrity verification, and protects a wide spectrum of digital assets, including credit card transactions, electronic documents, open-source software repositories and software updates.

“Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision,” said the Google Team in a blog post today. “This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. ... For the tech community, our findings emphasize the necessity of sunsetting SHA-1 usage. Google has advocated the deprecation of SHA-1 for many years, particularly when it comes to signing TLS certificates. ... We hope our practical attack on SHA-1 will cement that the protocol should no longer be considered secure.”

What types of systems are affected? “Any application that relies on SHA-1 for digital signatures, file integrity, or file identification is potentially vulnerable. These include digital certificate signatures, email PGP/GPG signatures, software vendor signatures, software updates, ISO checksums, backup systems, deduplication systems, and GIT.” https://shattered.io/

“This is not a surprise. We’ve all expected this for over a decade, watching computing power increase. This is why NIST standardized SHA-3 in 2012.” Bruce Schneier / Feb 23

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign