On Feb 23, 2017, Google and news agencies like WSJ published a startling find! Researchers from the CWI Institute in Amsterdam and Google were successful in generating a hash collision with SHA-1.
Collision means that two different messages when hashed separately had the same hash. Hashing is converting a document that may be like 5MB to a 40 digit number. If you’re thinking, why hasn’t a collision been found earlier? Compressing a document to only 40 digits means that eventually there would a collision. Eventually yes but, 40 digits is a huge number and thus impractical randomly. Thus being able to engineer a collision in astonishing, a huge technical feat!
What these researchers were able to do is find a collision in almost 100,000 times faster than a strict brute force attack. Yes, they leveraged Google’s tremendous cloud infrastructure to do so but the point remains is they did it. That means others will say Watch me too!. The attack required over a lot of computations (9,223,372,036,854,775,808) i.e. 9 quintillion i.e. 6,500 years of single-CPU computations or 110 years of single-GPU computations. If someone wanted to replicate it, they likely could and Google says this is likely within a month. Appropriately, Google has provided this free detection link here that one can use to better understand the attack and ways to mitigate it.
The impact of this find is that an attacker could submit a malicious document that has the same hash as a benign one. SHA-1 is not some simple hash function. Because SHA-1 has been used for certificate verification or validation of documents, having someone break this system is disturbing. SHA-1 has been used for browser security and code management. GIT and SVN do use SHA-1. From ZDNet , at least the creators of Git do not think it is a huge concern. However, they mention that Git will be sunsetting SHA-1.
For most browsers though, they key word would be “has been” as Google Chrome has been sunsetting uses of SHA-1 for several years and same with Firefox. There was a wake-up call in 2005 when researchers in China found a theoretical method to find a collision which prompted people in the industry starting to shift hash functions. Now in Feb 2017, Google and CWI Institute have proven it in the practical sense. Bitcoin uses a SHA-256 hash function. More of the concern for bitcoin would be that the source code is all in Git but again, at least the creators of Git say “Don’t Worry”.