SHA1 Is Now Officially Insecure
A collision in the SHA1 hashing algorithm has now been demonstrated. I just saw this article retweeted and wanted to share it with the developer community on Steemit as well:
At death’s door for years, widely used SHA1 function is now dead.
Some key paragraphs that stood out to me:
Now, researchers have demonstrated a similar type of real-world attack against SHA1, which ironically was widely adopted after the insecurity of MD5 became well-known. The SHA1 collision is documented in a research paper published Thursday. It presents two PDF files that, despite displaying different content, have the same SHA1 hash. The researchers warned that the same technique—which costs as little as $110,000 to carry out on Amazon's cloud computing platform—could be used to create collisions in GIT file objects or digital certificates.
Fortunately, certificates to HTTPS-protected websites aren't likely to be affected. Since the beginning of this year, browser-trusted certificate authorities have been barred from relying on SHA1 to sign TLS certificates they issue.
Consistent with Google's security disclosure policy, the source code for performing the collision attack will be published in 90 days. That means Git and an unknown number of other widely used services that rely on SHA1 have three months to wean themselves and their users off the insecure function
That last one is huge.
Declining payout, just posting as an FYI.
Luke, I love reading all your posts. They always have great value in my eyes and I tend to agree with most of your positions. That said, a lot of the stuff you talk about is WAY over my head (not your fault obviously, I just don't know as much about this stuff as you and others do), this post is a prime example. I might as well be reading hieroglyphs. What are the chances you could do a "dumbed down" version in a paragraph or less for us not so technologically advanced peasants? Might be too much to ask, but I thought I would regardless.
I figured this post wouldn't be for everyone (one of the reasons I declined payment). It would take a little bit to explain what a hashing algorithm is and why that's important for security (which also involves blockchain technologies), but for the most part, non-programmers don't have to worry about this stuff too much. There are probably resources online that would do a much better job than I at explaining what this is about.
I'm glad you enjoy reading. I know I can't please everyone all the time, so I appreciate your willingness to learn more and grow. :)
Woah. I wonder what this news will do for sha256 that bitcoin uses.
In reality it has been insecure for a while. This is just the final nail in the coffin.
SHA1 was never secure.
They even teach you how to break it in basic computer security classes, and have been teaching that for years.
Thanks. This is interesting.
$110K is still a rather steep price threshold to clear.
I wonder how much an adequate RSA/DSA/SSL2 hack would cost. Hopefully more than most hackers can afford.
Shout out to @abit and @fyrstikken for voting up some comments here. :) I didn't share this expecting rewards but they are always nice to receive.