SHA1 Is Dead! Long Live SHA1
We have known for several years that SHA1 hashes are vulnerable to collision attacks which can be used to unencrypt the data which uses it and many applications have phased it out over the past five years. Unfortunately many sites, like Git, still make use of it for content or handling HTTPS traffic, the open source version of PGP called GnuPG still uses it for keys and TLS and Secure Shell will still accept it. The only good news Ars Technica has to offer is that it is still rather expensive to exploit, however the price is now less than half of what the original exploit would cost you.
Drop by for a deeper look into SHA1, collision vulnerabilities and how the price tag was determined, if you dare.
The attack unveiled on Tuesday also costs as little as $45,000 to carry out. The attack disclosed in 2017, by contrast, didn’t allow forgeries on specific predetermined document prefixes and was evaluated to cost from $110,000 to $560,000 on Amazon’s Web Services platform, depending on how quickly adversaries wanted to carry it out.