SHA-1 is dead

SHA1, the old secure hashing algorithm is now broken in practice. See the Google Security blog post on the first SHA1 collision.

SHA1 was already theoretically broken 2005, when Prof. Xiaoyun Wang announced a differential attack. By 2010 the NIST decided to announce SHA-1 as deprecated.

SHA1 is still in use in BitTorrent and on some https sites. As far as I know, Chrome is currently the only Browser, who considers SHA-1 signed certificates as not secure. Firefox is about to phase it out as well and Edge wants to do this in mid of this year.

BitTorrent uses SHA-1 as well. Since we now have the first proven collisions, this could become interesting in lawsuits coming from the content industry … :-)


SHA-1 is proven broken and must not be used anymore for crypto purposes.